Attackers don’t always have direct access to your email.
Some systems have filters that root out phish and spam. But attackers are trying to game the gateway to sneak in.
Watch here:
Slipping Through
Your email system may have a gateway — an email security gateway — that decides if messages show up in your inbox or not.
Messages that look like typical scams get a thumbs down. What an attacker to do?
In some cases, they’ll add ‘invisible’ letters or characters to trick the gateway into thinking the messages are legitimate.
“You can kind of marvel at their ingenuity,” said Dave Baggett, CEO of security company Inky, which works to block malicious emails, in an interview with Archer News. “It’s evil, but it’s ingenious.”
Invisible Attack
Attackers will add in a soft hyphen between letters, for example.
This character tells the system it can make a break between syllables at the end of a line — if needed — and add an actual, visible hyphen.
Behind the scenes, the computer can read and process the soft hyphen, shown in this example as an X:
You Need To Reset Your PassXword
In the end, the message shows up for you as this, if you need a line break:
You Need To Reset Your Pass-
word
And simply this, if you don’t:
You Need To Reset Your Password
How does this help attackers?
Adding soft hyphens between letters can fool some gateways into thinking it’s not a traditional phishing message.
The gateway may be looking for this potential scam phrase:
You Need To Reset Your Password
But instead sees this:
YXoXuX NXeXeXdX TXoX RXeXsXeXtX YXoXuXrX PXaXsXsXwXoXrXd
And could usher the message on through.
For you, it would still look very normal — and tempting:
You Need To Reset Your Password
Zero-Width Space
Instead of the soft hyphen, attackers also use the ‘zero-width space,’ shown here as a 0. That character tells the computer to make a word break at the end of a line, among other things.
The computer sees this:
Y0o0u0 N0e0e0d0 T0o0 R0e0s0e0t0 Y0o0u0r0 P0a0s0s0w0o0r0d0
And you see only:
You Need To Reset Your Password
In Action
In one case, phishers used zero-width spaces in scam website addresses.
Email systems often check links for maliciousness. But the zero-width characters prevented the system from seeing the links as actual links, according to security company Avanan in January, 2019.
The messages with the unverified links went through to people, sending them to fake banking websites and other sites designed to steal their passwords.
Microsoft Office 365 has fixed the issue allowing that to happen, Avanan said.
Attackers have also tried using bypassing filters with font size set to zero and backwards text that reverses to forward when you see the message.
Yelp Reviews
Some attack messages even show up with Yelp reviews, according to Baggett.
“It’s totally bizarre when you look at these phishing emails and you look under the hood. You see all this weird Yelp review text that has nothing to do with what the phish is about,” he said.
Why? They’re trying to fool the gateway into thinking it’s a personal message, written by a human for a human.
“This is a conversational mail,” Baggett said. “This is from a person talking to their mom, because that’s going to deactivate a bunch of checks that they would do for a banking mail, right, for example.”
The Yelp review won’t show up for you. In some cases, the attackers use text that’s the same color as the background, so you see nothing.
“You could scroll down and see where there’s a white space with no text,” he explained. “Actually, there is text. That’s just white on white.”
Visible Tactics
Some tricks may actually catch your eye.
A group of attackers wrote the word “attached” as “at__t_ach__ed” in a phishing email designed to look like an invoice from an accounting company, according to Juniper Threat Labs in August.
Other attackers sent ‘sextortion’ emails with the bitcoin address split into two parts to avoid filters flagging financial scams, reported Bleeping Computer in December:
Part 1 Bit Coins: 3Bv9QgEw15QQo1T
Part 2 bit addresses: EUVW4hbBkkd2fEtFfPP
“Important: You must connect the two parts (part 1 of the bit-coin address + part 2 of the address of the bit-coin) without spaces between them,” the extortion note read.
What to Do?
“It’s not a great idea to click on things,” Baggett said. Instead, go directly to the site yourself.
For example, you may receive an email claiming to be from Amazon, telling you that you need to change your password.
“Just go to Amazon by typing ‘Amazon’ in your browser,” Baggett said. “Log in there. And you’ll get to the same thing. If it’s real, if it’s not Amazon, it won’t prompt you to do anything. And you know, ‘Oh, that was a scam.'”
Messages asking you to send wire transfers or reset your password are especially suspect, he added.
“Use a second channel of second communication channel that the attacker couldn’t have been in the middle of to verify,” Baggett said.
Main image: Letter with scorpion. Image: alfdaur/iStock