I recently recieved a fairly poorly constructed phishing email, filing it away as a sample to use for ‘easy’ phishing simulations for users. It seems quite a few people also received this as it was being shown on social media sites as an example of a poor phishing campaign (which it is). One thing that is important to remember however is that as poor as it was, it still made it to be inbox despite inbound mail filtering in place.
While I was setting it up as a template for PhishDom, I delved in to the code a bit and thought I’d explain what I found and how I improved on the original design, firstly let’s take a look at the original:
As you can see, it really is poor as the spacing is inconsistent, the layout shabby and there are faint lines joining all of the words. Most of these issues are due to the manner in which the author has tried to hide the content from email scanning/filtering software by putting additional random characters in between the visible letters and setting the size to very small.
In reality the first line (that appears to say Office – 365) actually says the following (I have added gaps and emboldened the text to make it clearer:
fzie6SzT O RZBFlD6v f 6SJmJnkU fi m4rSnaic c 8AJqNiaf e MXHxv6Wh – qhF3xdgy 3 baoe5pwf 6 jowdc2HK 5
The author then used font sizing to shrink the nonsense text, leaving only Office – 365 large, the small ajoining lines we see are actually the nonsense text shrunk down.
For anyone wanting to see the actual markup code (HTML):
<span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">fzie6SzT</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">O</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">RZBFlD6v
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">f</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">6SJmJnkU
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">fi</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">m4rSnaic
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">c</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">8AJqNiaf
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">e</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">MXHxv6Wh
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">-</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">qhF3xdgy
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">3</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">baoe5pwf
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">6</span><span style="font-size:1.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">jowdc2HK
</span><span style="font-size:36.0pt;font-family:"Segoe UI",sans-serif;color:#FF1F1F">5</span><span style="font-family:"Segoe UI",sans-serif;color:black">
</span>How to improve it?
Now I was using this as a template for the ‘easy to spot’ category of simulations for PhishDom but this was just too easy to spot so I wondered if I could improve on it. I decided to do the following:
- Change the nonsensical characters so that in combination with the ‘big’ words, they were actual words (if not a proper sentance).
- Change the color of the smaller words to a slightly less contrasting one so its harder to spot.
- Adjust the text a little (so it doesn’t say “Hello email address” effectively
- Obusfcate the word password in a smarter way
Firtstly, mimicing the authors technique, I updated the text for password so it was evenly spaced by adding only one or two characters in between. To email scanners, the word password actually says:
prats’s swoon red
It’s not poetry but they are words and so it should add to the perception its not obfuscation.
Next up I applied the same technique to the Office 365 heading which actually says in the code:
Odd for fit its cat eats. 3 is 6 of 5
Again, still nonsense but an email filter will likely be tricked by it.
A few tweaks to the grammer and then the final aesthetic touches were applied to give us this:
As you can see, the spacing of the characters is still skewed slightly by the hidden letters but its a bit more convincing than the original and even less likely to get picked up by email scanners.
