Wednesday, October 3, 2012

Learning from Spam

Occasionally I like to look at the dark side of the internet. And spam does a great job of bringing plenty of malware-laden websites to my spam folder for me to stroll through. Today I stumbled upon a very nicely crafted email from "YouTube":

What caught my attention was that the sender took the time to craft this naughty email with care. If you look closely, when hovering over the links that I expected to take me to, my email client didn't show a link to something naughty, but rather a hover text showing a legitimate link to YouTube:

It looks strangely legitimate...

Upon closer inspection it seems that the sender hid the links in a nifty way - by assigning a "title" attribute to the style property within the <a> tag that linked to the sender's website:

<a href=""style="text-decoration:none; color:#1C62B9;"title="">inbox</a>.

This is the kind of subtle change that can make it difficult for a common user to detect anomalies in their email. When confronted with suspicious emails I often hover over links to see where they really go and I was surprised to see what looked like a legitimate link show up in the hover text. Very nice job, Mr. Attacker. I learned something new from you today.