Email link hover Spoof?


Recommended Posts

Guys, our corporation just sent out another batch of fake emails to see who clicks on the email. The email was so obvious, but holding my mouse over the link shows that the url goes through proofpoint and then the passing link goes to another legit site. I clicked on it to make the argument that the link was valid. Can hover text be spoofed in an Outlook email?

Link to comment
Share on other sites

I don't believe the hover tag can be spoofed.

 

My company does the same kind of email tests using proofpoint so I know exactly what you mean

Link to comment
Share on other sites

you mean this..?

 

thiswhatyourtalkingabout.thumb.png.5855b654a6524c2b520b5d8a6d167351.png

 

I sent a link that looks like it goes to neowin, but when hover over it actually points to google..

 

Your asking for the hover could say neowin, but actually take you to google

Link to comment
Share on other sites

He is asking if the hover can be spoofed ... so in your example can the hovered www.google.com be spoofed to take you another site like cnn.com

 

Which I do not think is possible...in emails anyway?

Link to comment
Share on other sites

Well sure it could be - something with IDN or unicode.. link could look like it goes to xyz but goes to

 

https://www.plixer.com/blog/network-security/unicode-domain-phishing-attacks/

 

Or could be something like being NE0WIN.NET vs NEOWIN.NET where the other is a 0 vs an 0..

 

hover might help you spot the nonsense spam stuff, etc.. - but you should actually look at source code of the email to be sure.

 

  • Like 2
Link to comment
Share on other sites

2 minutes ago, BudMan said:

Well sure it could be - something with IDN or unicode.. link could look like it goes to xyz but goes to

 

https://www.plixer.com/blog/network-security/unicode-domain-phishing-attacks/

 

Or could be something like being NE0WIN.NET vs NEOWIN.NET where the other is a 0 vs an 0..

 

hover might help you spot the nonsense spam stuff, etc.. - but you should actually look at source code of the email to be sure.

 

..ok...aside from that ... can the actual hover be different than what it shows. So, the hover shows a legit www.google.com ... but it actually takes you to bing.com

 

If that makes sense? I think that is what the OP is asking...which I do not think is possible (not counting your example of using O and 0...and similar spoofing techniques)

Link to comment
Share on other sites

here look

punycode.thumb.png.17f33da38109d5d2b675d8d9f2c83407.png

 

The hover says its going to www.ca.com - but when try to go there - look where it goes.

 

homograph attack(s) not really anything new... been around for a few years... But as you can see outlook is showing what look to be www.ca.com but goes somewhere else!!

 

Here is some more info

https://isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/

 

To be honest you clicking ###### in email you got... Don't freaking do it... copy and past what is displayed, paste it notepad or the like text editor... Or just type in what you see by hand in another window, etc.

 

Unless you know for freaking SURE where the email came from!!!

 

Here in firefox you can enable

network.IDN_show_punycode

 

So now you see this

punycodeIDN.thumb.png.76c4ee1f6c18e1adecb519d152b11146.png

 

Vs this if not set to show punycode

 

notshowpuny.thumb.png.fb08ec0caac9a9d9df2f551478efb82c.png

 

So again NEVER follow links in emails unless you to TRUST the sender 1000%, even then prob better to just type in the url you see that seems legit vs clicking link.

 

Here is original of the gmail I sent to my work address for outlook

gmailoriginal.thumb.png.f4eab2e71bb61e9d572d873fdd91bee1.png

 

Does that look like anything like www.ca.com ;)

 

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

Great info Bud!! I didn't know that you could do that. I just watched a video on youtube that shows it in action. I just tested it out in Outlook by replacing the letter a in gmail.com with the Unicode character U+0430 and when clicking on the link Outlook prompted me with a security concern dialog - "Warning: You are opening a link to an internet site whose Web address may have been disguised to look similar to another web site. Do you want to continue?"

 

I rarely ever click on links, but my assumption that using the hover text was the safe way to go. Now I know differently. Thanks for the education.

Link to comment
Share on other sites

That is just unicode - look into punycode stuff..

 

Clicking links in emails almost never a good idea! ;)

 

 

Link to comment
Share on other sites

Love it when BudMan pops in and goes BAM! <inserts knowledge>.  

 

With respect to this topic:  I was thinking ... well if the hover looks legit (minus the typical spoofing methods) then you're good.  Never occurred to me Unicode (and honestly never heard of punycode).  Have some reading up to do later.  :) 

Link to comment
Share on other sites

hehe - np guys... Love sharing info!  Why I am here..

 

These are the kind of questions that keep me here to be honest.

 

Actual security issue, not your typical OMG, my dns is leaking how do I use a vpn - which one should I use... The black helicopters are circling ;)

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.