I just got a new scam (to me) today that nearly got me.
An email about my Spotify account. I’d recently changed my plan, so good timing by the scammers. It said there was a payment problem and would be charged a cancellation fee.
Fortunately, I’ve trained myself to ONLY GO DIRECT TO THE SITE AND LOGIN THERE. So, I go to spotify, and the account looks all good. Then when I looked at the email more closely, yep, all the links go to a site not spotify. Gave myself a pat on the back.
Once the scam email is marked as spam, it garbles itself, so you can’t look at what it had said. Hadn’t seen that before. Of course, if you unmark it as spam, you can see it again.
I was amazed. Assumed it’s a whopping big pile of JavaScript in an html attachment. Yeah, i still have it. Will take a proper look tomorrow if I remember…
Screen caps of email. The first is as it arrived in the Inbox, the second in the Junk folder.
Basically, they have an inline HTML file (and an inline spotify png). The HTML has lots of embedded rubbish text, associated with a specific style. That style is set to display:none, so it is hidden.
Now by default Thunderbird shows me the inline images and css. As it’s set none, I don’t see the rubbish text and the message looks and reads like a normal message.
But when it’s marked as Junk, Thunderbird won’t show the image, and won’t show any css. So the message then displays all the rubbish text and it looks garbled.
eg: the Bold heading in the body of the email is actually the html here
That’s pretty standard with moz - junk mail use hotlinked images and shit so they can see on their traffic side when an email is viewed. It’s why mail programs increasingly block external content by default (well that and the viral payloads). When you flag as spam, thunderbird takes it out of the ‘allow remote content’ list.
I just got a new scam (to me) today that nearly got me.
An email about my Spotify account. I’d recently changed my plan, so good timing by the scammers. It said there was a payment problem and would be charged a cancellation fee.
Fortunately, I’ve trained myself to ONLY GO DIRECT TO THE SITE AND LOGIN THERE. So, I go to spotify, and the account looks all good. Then when I looked at the email more closely, yep, all the links go to a site not spotify. Gave myself a pat on the back.
Once the scam email is marked as spam, it garbles itself, so you can’t look at what it had said. Hadn’t seen that before. Of course, if you unmark it as spam, you can see it again.
Be careful out there!
That sounds impossible. Have you got the raw source?
I was amazed. Assumed it’s a whopping big pile of JavaScript in an html attachment. Yeah, i still have it. Will take a proper look tomorrow if I remember…
Checked it out, and it’s simpler than I thought.
Screen caps of email. The first is as it arrived in the Inbox, the second in the Junk folder.
Basically, they have an inline HTML file (and an inline spotify png). The HTML has lots of embedded rubbish text, associated with a specific style. That style is set to display:none, so it is hidden.
Now by default Thunderbird shows me the inline images and css. As it’s set none, I don’t see the rubbish text and the message looks and reads like a normal message.
But when it’s marked as Junk, Thunderbird won’t show the image, and won’t show any css. So the message then displays all the rubbish text and it looks garbled.
eg: the Bold heading in the body of the email is actually the html here
That’s pretty standard with moz - junk mail use hotlinked images and shit so they can see on their traffic side when an email is viewed. It’s why mail programs increasingly block external content by default (well that and the viral payloads). When you flag as spam, thunderbird takes it out of the ‘allow remote content’ list.