Stupid Spammer Tricks – Reversing Characters

Spammers engaged in phishing attacks constantly try to get their emails past spam filters. They try many different tactics, and these can include taking advantage of HTML coding characteristics. These HTML tricks can make the email look normal when rendered in a mail client, but the actual raw text is completely different. This can let it bypass spam content filters that are looking for the normal text. Here's an example of a normal looking email:

This looks like a possibly real email notifying you about a problem with your account ("real", except for the grammatically poor "why you received this email ?"). This is really a phish using the HTML "Right-to-left override" code ( http://www.fileformat.info/info/unicode/char/202e/index.htm ). Here's the raw HTML markup:

Not too easy to read, is it? The HTML "Right-to-left override" code is "‮". This is intended to be used when writing bidirectional text that combines left-to-right text with right-to-left text, such as Hebrew or Arabic. The phisher in this case uses it to reverse the email text, in an attempt to bypass spam content filters. Note the highlighted text "remotsuc raeD", which is "Dear customer" backwards. The override code causes the text to be printed from right to left. While some content filters might check for generic phrases like "Dear customer", they probably won't be looking for the reverse text. Likewise, "woleb knil eht no kcilc" will probably not get a second look, unlike "click on the link below".

This technique is related to an older use of the "Right-to-left override" code, from back in the Fall of 2011 (http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/). It was used then to disguise actual file extensions in filenames attached to emails. An attached file would have a filename that looked like "Invexe.doc", which looks like it's a simple Word document. It would actually have the override character inserted after the 'v', so that the real filename would have the text reversed after that, making the real filename "Invcod.exe", which is actually an executable. Instead of reading a Word document, you would install malware.

If you don't have spam filtering, you can check suspicious emails by reading the raw text to see if tricks like this are employed. To do so in Outlook, you can open the message (without clicking on anything in the body), find a blank spot, right click and choose "View Source". In Mozilla Thunderbird, you can press Ctrl+U to see the raw text. If an email has to use tricks like this to get the email delivered to you, you can be sure it's not legitimate and safely ignore it. Clicking on a link like this without at least doing some minor checking can lead to compromise of your credentials (as in this case) or worse, downloading malware. Being informed can help keep you safe.