Over the past couple of months we have been noticing spam coming to us and many of our clients that has a consistent structure. The content varies, the sending email varies and the destination URL for the embedded text links varies but how the spam email is obfuscated does not. Outwardly the spam looks like a basic text only email with one or two text links. The content is very spammy and is generally trying to sell weight watching or diet products. This is content that should generally be easily blocked and not even received. So it was odd that these were slipping by the spam filters. After getting a few of these and hearing about it from some of our clients we decided to investigate these spam emails a little further. The first giant red flag was the URL structure of the destination links, which you generally see in your email client by just hovering your mouse over the text link without actually clicking on the link. Many of the links appeared to go to compromised WordPress websites of varying domains. The image below shows a couple example emails and the destination links in the hover-over popup box.

The second red flag was that we weren’t able to cursor-select any of the text in the email. At first we thought maybe part of or all of the email was actually just an image … although that wouldn’t allow text links to work or the “hover over the link” feature to work. When we looked at the raw message data it became obvious what was going on. Basically all the text in the email was being obfuscated through base64 encoding (image below).

What all the spam emails had in common in the raw message data were these two lines below. This base64 encoded all the text and in some cases all the HTML content in the visible body of the email message. I am not sure if all email clients automatically base64 decode text/html content but I presume that they do … even though this seems like a very non-standard use within an email.

Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: base64

Normally base64 encoding is used for adding embedding images or attachments to an email message. I am not sure if I have ever seen it used in this way before, but it explains why the text was not selectable by a cursor and why it was slipping past standard keyword spam filters. The destination link for this example was clearly a compromised WordPress site. Interestingly, the domain name enilgincbilgiler(dot)com was just recently registered and is being hosted in Turkey (see below). However, I would be willing to guess that there is no consistent pattern, country of origin, or hosting provider with all of the different spam emails we have seen and archived. Maybe when I have some extra time I can look into what these destination links are trying to accomplish and if the registrants are even aware that their sites are being used in this way. In all likelihood it is malicious and trying to install malware and/or ransomware on unsuspecting users.

We would love to hear from our readers if any of you have seen something like this before and what some of the message rules or spam filters you used to catch this kind of spam.

Eric Company News, Cybersecurity, Digital Investigations, Website Security