Anatomy of Spam: Why you should not click on links in emails
By Jin Nan Goto
Formatting emails in HTML is a very powerful tool and is often used very attractive emails. Examples of legitmate uses of HTML email are for online promotions or newsletters. However HTML has been heavily abused and has some very serious consequences for security. It is very easy to hide the true destination of a link using HTML. This is part of the nature of HTML. Here is the code used to create a link.
<a href=”evilsite.com”> (This is the actual address of the link)
https://www.onlinebankingsite.com</a> (A fake address posing as a legitimate site)
In HTML a spammer can easily define a url and include also descriptive text which is presented to the recipient rather than the link. The recipient does not see the url hidden behind the descriptive text and will click it, thinking it is the site referenced in the descriptive text, and is directed to whatever site the spammer wants. It is a potent tool often used in Phishing attacks to steal usernames and passwords, banking information, credit card numbers, etc.
Here is a real example
I got this suspected phishing email. The link says www.paypal.com. It’s also https so it’s secure right?
Here’s what what the link looks like if you look at the code. Notice that the real address for the link is not https://www.paypal.com, but an IP address.
How to protect yourself
1. The safest way to protect yourself is to turn off the display of HTML in your email program. This will ensure that all your messages are sent in plain text. This is the safest way to use email.
2. If you absolutely need to follow a link in an email, copy the descriptive text of the link and paste it directly into the address bar of your browser. This should ensure that the descriptive text is used as the address and not any hidden address.
3. Many email programs will automatically disable links in emails from unknown senders. They also will recognize the spoofed address and warn user before enabling the links. Although you should never rely on your email program to keep you totally safe.
