22

i recently received the following (rather obvious) phishing email:

enter image description here

i'm not a PayPal user so this particularly un-alarming for me. however, when viewing as plain text, it became evident that there were hidden characters between every displayed letter of each word, as so:

------------------------------ ------------------------------ ---------- Statement your account has been updated successfully on 12:30:14 pm Friday, December 22, 2017

HzeglelMo,

YmocuTr aMcacdoduvnbt cfhoannlgze1s sHuzcocXeysVsmfEudlIlKy cwh9a2nOgVead.

TFhFe dHePt2aNi2lGs oZf thhte cThzaAnAgJe3s abr9e iIn aztbteaVcshsegd DLorwCnIlFo6ald aYn0d rgeuaid tchGe altjtFaScMhJepd YZobu w3inlWl fOiAnFd m5edsDs0aHgJe iQn A2dToebee RgefaEdAenr (kPyDKFV) AfwoHr1mraMtn.

TuhsaunxkWs fjorr jXori1neienRg t6hKe mkimlAlci4oKn6s off pkeiospslLe w8h8o rIeGlDy oSn uNs tho mpatkEe s4e2csu3rie fFiqnNaXnsccikaEl thrtaEnOsia2cFt6iWocn2s a7rUoPuTned tLh1e wIoxr5lnd0.

SIiTnocAefrSeVlWyd,W

PVacy6Pka1l1bidttS0u4pjp0oErCtE.k

HbeUlrp r|xddl8vSme5cKu6rQi8tcyoslnnfCte8nrtDrDe

PcavyqPzaDlkix8tt(yEGuIrRodp9eP) S.à ri.jlH.IeSt C3i2ee, Sb.rC8.EAp.M SyobcHiété eOn CqoGmImwaBnmdhiYtfe plaAr AacNtkiIonXs. RoeSgPirsNtpe6rreWd oefGfJi1cteD: 212w-t2P4 BloJuJl5ejvBaYrmd R6oGykahl, Ls-c2S4r4r9 Lzulx1etmbb7u9rkg1. RKCHS LmuFxweCmUbyuLrmg BE 161t8 3V419a.

what could this be for? has anyone ever seen this?

UPDATE - here are the From + Subject headings

From: service@intl.paypal.com .

Sent: Sunday, December 24, 2017 9:39 PM

Subject: Case ID Number PP-M-LL0PUG4V : Statement your account has been updated successfully on 12:30:14 pm Friday, December 22, 2017

NH.
  • 1,034
  • 1
  • 9
  • 20
homerman
  • 355
  • 2
  • 7
  • 1
    Please attach the whole raw email subject. – mootmoot Dec 27 '17 at 16:08
  • 24
    For the record: PayPal e-mails will never include attachments and there will never be a generic greeting. Their anti-phishing policy is explicit about this. Even if you were a PayPal user, you would have nothing to worry about (as long as you don't touch the PDF). – Mast Dec 27 '17 at 23:52
  • 17
    Well, bad english is your first sign. – Captain Hypertext Dec 28 '17 at 13:41
  • 2
    Please also report spoofs to PayPal by forwarding them to spoof@paypal.com – Wes Toleman Dec 28 '17 at 17:35
  • 1
    Sorry for the confusion, can you do a google search on your email client to "view raw email source" , copy and paste the whole content source part to pastebin.com (you can omit the whole email header for protect your privacy) , and then share the link. Then everyone can check what kind of obfuscation method is used inside the malware spam mail. – mootmoot Dec 28 '17 at 18:42
  • 2
    @NH. - no, please don't ask people to post the potential payload. Even with base-64 encoding or whatever else you might come up with. It's a bad idea, and we don't want it.# – Rory Alsop Dec 28 '17 at 19:08
  • 1
    It's also telling that they call it "Adobe Reader (PDF) format." Adobe Reader is a reader, not a format (PDF is the format), so the fact that they're emphasizing the program over the format suggests that they're trying to get you to open it with that *specific program* in order to exploit a vulnerability specific to it. – Southpaw Hare Dec 28 '17 at 21:01
  • @Mast: Interesting how PayPal.com says "If information is required to confirm or maintain your account, you will be asked to visit PayPal.co.uk to login securely." – user541686 Dec 29 '17 at 00:27
  • @Mehrdad That’s because the link goes to paypal.com/uk. – J F Dec 29 '17 at 16:12
  • "Download and read the attached You will find" is a dead giveaway. I hope Paypal understands English grammar. – user253751 Dec 30 '17 at 20:38

4 Answers4

85

This is just regular malware spam.

The evil part of this message is likely the attached PDF it mentions. It likely contains an exploit which targets a vulnerability in one or more PDF readers and does something bad if opened with a vulnerable program. So do not open the attachment.

The reason for the gibberish text in the email's sourcecode is likely to confuse spam filters so they don't filter it.

Philipp
  • 49,384
  • 8
  • 129
  • 160
  • 4
    ah-ha - didn't consider the spam filtering. thanks! – homerman Dec 27 '17 at 17:00
  • 27
    This is what I figured the answer is but I'm curious as to why a spam filter would filter out a somewhat coherent real text email while allowing complete gibberish strings of characters to pass through, you'd think if anything the gibberish one would be marked as spam. – DasBeasto Dec 27 '17 at 20:48
  • 8
    agreed... but what heuristics could you apply to identify "gibberish"? i think trying to do this would result in a lot of false positives. – homerman Dec 27 '17 at 22:17
  • This is not some random gibberish, it's just a random character after every actually displayed one – this should be quite easy to decipher and filter. – dessert Dec 28 '17 at 13:18
  • 5
    @dessert Only if you notice a pattern of many spam mails using this. And if you then add a custom filter rule specifically for this to your spam filter, the spammers can easily break it by using a just slightly modifying their obfuscation method. – Philipp Dec 28 '17 at 13:21
  • @Philipp I mean, once this is known (if I were writing a spam filter) I would just update the algorithm to strip invisible characters before running the existing checks. I don't see that adding many false-positives or being defeated by trivial modifications (e.g. using 2 invisible characters between each displayed one). – Kamil Drakari Dec 28 '17 at 15:08
  • The " invisible" characters could better be characterized as a spam-bypass technique. And while there's an infinite number of those, you would expect spam filters to detect the most common. Invisible characters are known for over a decade, by several means (such as font color and Unicode tricks). Positively detecting any such technique is a very strong spam (or malware) indicator – MSalters Dec 29 '17 at 14:50
6

This is some sort of over-engineer malware spam, that escape typical email-client (e.g. outlook client) simple spam filter due to the gibberish text. However, it is useless against well maintained spam mail scanning engine that capable to handle HTML spam email that look for suspicious/obfuscated javascript code.

(update) As some mentioned that email client will not execute javascript to do the de-obfuscation. A simple google of "Obfuscated spam email" you will get some similar example. Since OP didn't show us the actual email header, I can only assume that the content is deobfuscate and rewrite using javascript.

I just discover it is possible to use CSS stylesheet to fool around, but you still need javascript . All these obfuscated-deobfuscated mechanisms will expose the spam to help build some sort of spam detection.

mootmoot
  • 2,407
  • 11
  • 16
  • 9
    javascript code ? I'm not aware of any mail client executing javascript. Is this a mistake ? – Xavier59 Dec 27 '17 at 17:37
  • @Xavier59 ;-) https://stackoverflow.com/questions/3054315/is-javascript-supported-in-an-email-message – mootmoot Dec 28 '17 at 08:33
  • 1
    I'm not a css or professional phisher, but note that it display one character every 2 characters. My guess is that, playing with margin or fonts or whatever, the characters is over the next one thus hidding it. I think the question you are linking to about javascript in mail clients is too outdated to be considered. No serious mail client should accept/execute javascript nowadays. – Xavier59 Dec 28 '17 at 09:54
  • @Xavier59 Honestly, there is nothing for sure unless we are able to get a copy of the sample.. – mootmoot Dec 29 '17 at 09:21
4

The gibberish is intended to confuse the virus- and/or spam filters. If the filter reads the actual (gibberish) text, it will not recognize the trigger words or patterns, as I would assume the gibberish letters are generated randomly and are different for every message. Some spam filters such as the one from gmail rely on identifying spam messages because they are identical to messages sent to other users as well.

Depending on the quality of the filters, this kind of obfuscation may or may not work. But the principle of spam is that it doesn't have to work on everyone, only on enough targets. So as long as it bypasses some filters, it is worth using it.

Tom
  • 10,361
  • 20
  • 52
  • Good spam filters detect a high percentage of gibberish and classify the message based on that alone. You don't even need multiple dictionaries, Markov Chain Models are much smaller and might even be shared across related languages (e.g. Spanish/Portugese/Italian). – MSalters Dec 29 '17 at 14:54
  • Yes, but again, spam is considered if it actually reaches something like 1% of the targeted inboxes. – Tom Dec 29 '17 at 14:55
1

My guess is that the text version of the mail is the one shown, followed by a HTML version, which can contain additional obfuscations (such as hidden spans with unnecessary text, like H<span style="visiblity:hidden">bz<span style="visiblity:hidden">ZornWasHere</span>w</span>ello), again, to avoid spam filters.

If you would set your email client to show the pure text of the email, probably what you pasted will show up as the content of the email.

That fact that a PDF (or an EXE with PDF-like icon) is attached or not, is irrelevant for the way the spammer avoided detection.