notta Posted April 25, 2019 Share Posted April 25, 2019 (edited) Guys, our corporation just sent out another batch of fake emails to see who clicks on the email. The email was so obvious, but holding my mouse over the link shows that the url goes through proofpoint and then the passing link goes to another legit site. I clicked on it to make the argument that the link was valid. Can hover text be spoofed in an Outlook email? Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted April 25, 2019 Supervisor Share Posted April 25, 2019 I don't believe the hover tag can be spoofed. My company does the same kind of email tests using proofpoint so I know exactly what you mean Jim K 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 25, 2019 MVC Share Posted April 25, 2019 you mean this..? I sent a link that looks like it goes to neowin, but when hover over it actually points to google.. Your asking for the hover could say neowin, but actually take you to google Link to comment Share on other sites More sharing options...
Jim K Global Moderator Posted April 25, 2019 Global Moderator Share Posted April 25, 2019 He is asking if the hover can be spoofed ... so in your example can the hovered www.google.com be spoofed to take you another site like cnn.com Which I do not think is possible...in emails anyway? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 25, 2019 MVC Share Posted April 25, 2019 Well sure it could be - something with IDN or unicode.. link could look like it goes to xyz but goes to https://www.plixer.com/blog/network-security/unicode-domain-phishing-attacks/ Or could be something like being NE0WIN.NET vs NEOWIN.NET where the other is a 0 vs an 0.. hover might help you spot the nonsense spam stuff, etc.. - but you should actually look at source code of the email to be sure. goretsky and Jim K 2 Share Link to comment Share on other sites More sharing options...
Jim K Global Moderator Posted April 25, 2019 Global Moderator Share Posted April 25, 2019 2 minutes ago, BudMan said: Well sure it could be - something with IDN or unicode.. link could look like it goes to xyz but goes to https://www.plixer.com/blog/network-security/unicode-domain-phishing-attacks/ Or could be something like being NE0WIN.NET vs NEOWIN.NET where the other is a 0 vs an 0.. hover might help you spot the nonsense spam stuff, etc.. - but you should actually look at source code of the email to be sure. ..ok...aside from that ... can the actual hover be different than what it shows. So, the hover shows a legit www.google.com ... but it actually takes you to bing.com If that makes sense? I think that is what the OP is asking...which I do not think is possible (not counting your example of using O and 0...and similar spoofing techniques) Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 25, 2019 MVC Share Posted April 25, 2019 here look The hover says its going to www.ca.com - but when try to go there - look where it goes. homograph attack(s) not really anything new... been around for a few years... But as you can see outlook is showing what look to be www.ca.com but goes somewhere else!! Here is some more info https://isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/ To be honest you clicking ###### in email you got... Don't freaking do it... copy and past what is displayed, paste it notepad or the like text editor... Or just type in what you see by hand in another window, etc. Unless you know for freaking SURE where the email came from!!! Here in firefox you can enable network.IDN_show_punycode So now you see this Vs this if not set to show punycode So again NEVER follow links in emails unless you to TRUST the sender 1000%, even then prob better to just type in the url you see that seems legit vs clicking link. Here is original of the gmail I sent to my work address for outlook Does that look like anything like www.ca.com Jim K, Brandon H and goretsky 2 1 Share Link to comment Share on other sites More sharing options...
notta Posted April 25, 2019 Author Share Posted April 25, 2019 (edited) Great info Bud!! I didn't know that you could do that. I just watched a video on youtube that shows it in action. I just tested it out in Outlook by replacing the letter a in gmail.com with the Unicode character U+0430 and when clicking on the link Outlook prompted me with a security concern dialog - "Warning: You are opening a link to an internet site whose Web address may have been disguised to look similar to another web site. Do you want to continue?" I rarely ever click on links, but my assumption that using the hover text was the safe way to go. Now I know differently. Thanks for the education. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 25, 2019 MVC Share Posted April 25, 2019 That is just unicode - look into punycode stuff.. Clicking links in emails almost never a good idea! Jim K 1 Share Link to comment Share on other sites More sharing options...
Jim K Global Moderator Posted April 25, 2019 Global Moderator Share Posted April 25, 2019 Love it when BudMan pops in and goes BAM! <inserts knowledge>. With respect to this topic: I was thinking ... well if the hover looks legit (minus the typical spoofing methods) then you're good. Never occurred to me Unicode (and honestly never heard of punycode). Have some reading up to do later. Link to comment Share on other sites More sharing options...
notta Posted April 25, 2019 Author Share Posted April 25, 2019 The guy knows a lot of stuff. When I wrote it I kind of thought he would chime in Jim K 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 26, 2019 MVC Share Posted April 26, 2019 hehe - np guys... Love sharing info! Why I am here.. These are the kind of questions that keep me here to be honest. Actual security issue, not your typical OMG, my dns is leaking how do I use a vpn - which one should I use... The black helicopters are circling Link to comment Share on other sites More sharing options...
Recommended Posts