CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Stupid Spammer Tricks – Reversing Characters

Spammers engaged in phishing attacks constantly try to get their emails past spam filters. They try many different tactics, and these can include taking advantage of HTML coding characteristics. These HTML tricks can make the email look normal when rendered in a mail client, but the actual raw text is completely different. This can let it bypass spam content filters that are looking for the normal text. Here's an example of a normal looking email:

12041_d65bf094-82eb-4fa3-9dae-06ee4b6506b9

This looks like a possibly real email notifying you about a problem with your account ("real", except for the grammatically poor "why you received this email ?"). This is really a phish using the HTML "Right-to-left override" code ( http://www.fileformat.info/info/unicode/char/202e/index.htm ). Here's the raw HTML markup:

8223_1d6cdfc3-4e76-45f3-a5b2-17a1b68dca83

Not too easy to read, is it? The HTML "Right-to-left override" code is "‮". This is intended to be used when writing bidirectional text that combines left-to-right text with right-to-left text, such as Hebrew or Arabic. The phisher in this case uses it to reverse the email text, in an attempt to bypass spam content filters. Note the highlighted text "remotsuc raeD", which is "Dear customer" backwards. The override code causes the text to be printed from right to left. While some content filters might check for generic phrases like "Dear customer", they probably won't be looking for the reverse text. Likewise, "woleb knil eht no kcilc" will probably not get a second look, unlike "click on the link below".

This technique is related to an older use of the "Right-to-left override" code, from back in the Fall of 2011 (http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/). It was used then to disguise actual file extensions in filenames attached to emails. An attached file would have a filename that looked like "Invexe.doc", which looks like it's a simple Word document. It would actually have the override character inserted after the 'v', so that the real filename would have the text reversed after that, making the real filename "Invcod.exe", which is actually an executable. Instead of reading a Word document, you would install malware.

If you don't have spam filtering, you can check suspicious emails by reading the raw text to see if tricks like this are employed. To do so in Outlook, you can open the message (without clicking on anything in the body), find a blank spot, right click and choose "View Source". In Mozilla Thunderbird, you can press Ctrl+U to see the raw text. If an email has to use tricks like this to get the email delivered to you, you can be sure it's not legitimate and safely ignore it. Clicking on a link like this without at least doing some minor checking can lead to compromise of your credentials (as in this case) or worse, downloading malware. Being informed can help keep you safe.

Latest SpiderLabs Blogs

EDR – The Multi-Tool of Security Defenses

This is Part 8 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

The Invisible Battleground: Essentials of EASM

Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...

Read More

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More