• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Email link hover Spoof?

Question

notta    71
Posted (edited)

Guys, our corporation just sent out another batch of fake emails to see who clicks on the email. The email was so obvious, but holding my mouse over the link shows that the url goes through proofpoint and then the passing link goes to another legit site. I clicked on it to make the argument that the link was valid. Can hover text be spoofed in an Outlook email?

Share this post


Link to post
Share on other sites

11 answers to this question

Recommended Posts

  • 0
+BudMan    3,425

here look

punycode.thumb.png.17f33da38109d5d2b675d8d9f2c83407.png

 

The hover says its going to www.ca.com - but when try to go there - look where it goes.

 

homograph attack(s) not really anything new... been around for a few years... But as you can see outlook is showing what look to be www.ca.com but goes somewhere else!!

 

Here is some more info

https://isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/

 

To be honest you clicking ###### in email you got... Don't freaking do it... copy and past what is displayed, paste it notepad or the like text editor... Or just type in what you see by hand in another window, etc.

 

Unless you know for freaking SURE where the email came from!!!

 

Here in firefox you can enable

network.IDN_show_punycode

 

So now you see this

punycodeIDN.thumb.png.76c4ee1f6c18e1adecb519d152b11146.png

 

Vs this if not set to show punycode

 

notshowpuny.thumb.png.fb08ec0caac9a9d9df2f551478efb82c.png

 

So again NEVER follow links in emails unless you to TRUST the sender 1000%, even then prob better to just type in the url you see that seems legit vs clicking link.

 

Here is original of the gmail I sent to my work address for outlook

gmailoriginal.thumb.png.f4eab2e71bb61e9d572d873fdd91bee1.png

 

Does that look like anything like www.ca.com ;)

 

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites
  • 0
Brandon H    2,734

I don't believe the hover tag can be spoofed.

 

My company does the same kind of email tests using proofpoint so I know exactly what you mean

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,425

you mean this..?

 

thiswhatyourtalkingabout.thumb.png.5855b654a6524c2b520b5d8a6d167351.png

 

I sent a link that looks like it goes to neowin, but when hover over it actually points to google..

 

Your asking for the hover could say neowin, but actually take you to google

Share this post


Link to post
Share on other sites
  • 0
Jim K    12,781

He is asking if the hover can be spoofed ... so in your example can the hovered www.google.com be spoofed to take you another site like cnn.com

 

Which I do not think is possible...in emails anyway?

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,425

Well sure it could be - something with IDN or unicode.. link could look like it goes to xyz but goes to

 

https://www.plixer.com/blog/network-security/unicode-domain-phishing-attacks/

 

Or could be something like being NE0WIN.NET vs NEOWIN.NET where the other is a 0 vs an 0..

 

hover might help you spot the nonsense spam stuff, etc.. - but you should actually look at source code of the email to be sure.

 

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
Jim K    12,781
2 minutes ago, BudMan said:

Well sure it could be - something with IDN or unicode.. link could look like it goes to xyz but goes to

 

https://www.plixer.com/blog/network-security/unicode-domain-phishing-attacks/

 

Or could be something like being NE0WIN.NET vs NEOWIN.NET where the other is a 0 vs an 0..

 

hover might help you spot the nonsense spam stuff, etc.. - but you should actually look at source code of the email to be sure.

 

..ok...aside from that ... can the actual hover be different than what it shows. So, the hover shows a legit www.google.com ... but it actually takes you to bing.com

 

If that makes sense? I think that is what the OP is asking...which I do not think is possible (not counting your example of using O and 0...and similar spoofing techniques)

Share this post


Link to post
Share on other sites
  • 0
notta    71
Posted (edited)

Great info Bud!! I didn't know that you could do that. I just watched a video on youtube that shows it in action. I just tested it out in Outlook by replacing the letter a in gmail.com with the Unicode character U+0430 and when clicking on the link Outlook prompted me with a security concern dialog - "Warning: You are opening a link to an internet site whose Web address may have been disguised to look similar to another web site. Do you want to continue?"

 

I rarely ever click on links, but my assumption that using the hover text was the safe way to go. Now I know differently. Thanks for the education.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,425

That is just unicode - look into punycode stuff..

 

Clicking links in emails almost never a good idea! ;)

 

 

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
Jim K    12,781

Love it when BudMan pops in and goes BAM! <inserts knowledge>.  

 

With respect to this topic:  I was thinking ... well if the hover looks legit (minus the typical spoofing methods) then you're good.  Never occurred to me Unicode (and honestly never heard of punycode).  Have some reading up to do later.  :) 

Share this post


Link to post
Share on other sites
  • 0
notta    71

The guy knows a lot of stuff. When I wrote it I kind of thought he would chime in :)

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,425

hehe - np guys... Love sharing info!  Why I am here..

 

These are the kind of questions that keep me here to be honest.

 

Actual security issue, not your typical OMG, my dns is leaking how do I use a vpn - which one should I use... The black helicopters are circling ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.