Analyzing the body of this spam message

Question

I recently received this email, from what looks like to be an unprofessional hacker:

Cannot display full mail body.

You will see it when pushing here ^{Sanitized link. Leads to example.com}

^{Gmail error message: 3b19866 (Tue Aug 2 8:56:45 2016)}

^{(formatting replicated)}

The title is leased.

Note that this managed to bypass Google's spam filter and landed right in my "Primary" inbox.

It comes from an obviously personal email (---@gmail.com). ~~I have no relations with this person.~~ Actually, it's plausible this person had me on their address book.

The linked site varies between clicks. One looked a lot like the natural Google login page, but with an actual password field a wrong size. Another was an obvious typical "YOUR COMPUTER HAS BEEN HACKED BLAH BLAH BLAH" site.

My question is: how could this have passed by my spam filter and what's up with the hidden HTML at the end, as well as the weird HTML attributes?

Here's some more proof that the hacker is unprofessional. In the raw HTML version of the message, there's this:

<input type="hidden" name="zewomugo" value="you look at the check feel the feelings of having that money now ">

There are some weird class and id names hidden in the HTML version. They seem semi-random, but contain vowels.

voyoveho
fe
gamofuda
zewomugo

I get nothing when running it through Google Translate, and a quick google shows that they aren't words.

The "Gmail error message part" is wrapped in muted and samp tags. What could that mean, since muted isn't even a HTML tag?

Ummm according to VirusTotal that link downloads a file. Please remove it. — AstroDan, Aug 02 '16 at 16:14
@SilverlightFox you removed the sentence on spam filter, I have nothing wrong with removing a potentially malicious link — noɥʇʎԀʎzɐɹƆ, Aug 02 '16 at 16:18
That was just a race condition between us both clicking Save at the same time. — SilverlightFox, Aug 02 '16 at 16:19
Do we encourage people to fill this site with all the phishing attempts received? Just stop opening them! — Julie Pelletier, Aug 02 '16 at 16:20
`I'm no layman and I haven't been tricked by any of this. What should I do?` - first thing do not access any URLs or images within the email. This confirms to the attacker that you have read it and could be tricked by it. — SilverlightFox, Aug 02 '16 at 16:21
@SilverlightFox meh, more spam is fine. Just more caught criminals — noɥʇʎԀʎzɐɹƆ, Aug 02 '16 at 16:21

score 1 · Answer 1 · answered Aug 02 '16 at 16:27

1

It is likely that the Gmail account you received the email from was hacked, and does not actually belong to the spammer. I have received similar spam emails in the past couple weeks, seemingly from friends and other known contacts. Because these emails are sent through actual Gmail accounts rather than through spoofed From addresses like most spam, they contain valid cryptographic signatures from Google and thus tend to bypass spam filters.

As for how the account was hacked, it's difficult to say for certain but may be related to large-scale data breaches that have occurred recently. Many people unfortunately use the same passwords in multiple places, so when password leaks occur hackers will often attempt to use them to log in to unrelated sites.

I would suggest that you simply report the message as spam; given enough reports Gmail will likely lock the account and alert its legitimate owner of the compromise.

answered Aug 02 '16 at 16:27

tlng05

10,324
1
34
36

Perhaps, but what about the mysterious hidden html at the end? – noɥʇʎԀʎzɐɹƆ Aug 02 '16 at 16:31
1

@uoɥʇʎPʎzɐɹC Difficult to say definitively, but it may be an attempt to perform [bayesian poisoning](http://security.stackexchange.com/questions/12589/what-is-the-point-of-gibberish-spam/47406) considering the random words in the value field. By making it a hidden input, those words can be hidden from the viewer. – tlng05 Aug 02 '16 at 16:36
although these have vowels in them, they aren't the words of any language. Some pretty bad bayesian poisoning to me. (referring to the tag attributes) – noɥʇʎԀʎzɐɹƆ Aug 02 '16 at 16:39
@uoɥʇʎPʎzɐɹC `you look at the check feel the feelings of having that money now` looks like a possible bayesian poisoning attempt. The random-looking "words" in the CSS are likely indeed autogenerated and changed in every email, also to bypass filters. These are fairly standard techniques. – tlng05 Aug 02 '16 at 16:42
not very many words though. the body of the email is made up of normal words too. And `you look at the check feel the feelings of having that money now` doesn't seem random. check -> bank check – noɥʇʎԀʎzɐɹƆ Aug 02 '16 at 16:44
@uoɥʇʎPʎzɐɹC Mark it as spam, and move on. No point in worrying about it further. – tlng05 Aug 02 '16 at 16:46
I want to understand the security concepts behind it ⌐■_■ – noɥʇʎԀʎzɐɹƆ Aug 02 '16 at 16:47
1

@tlng05 for what it's worth, `you look at the check feel the feelings of having that money now` is a quote from a book (The Secret by R. Byrne), so it may not be a random sentence. That being said, I don't know if this makes any difference. – A. Darwin Aug 02 '16 at 16:48
@tlng05 poke poke – noɥʇʎԀʎzɐɹƆ Aug 02 '16 at 17:08

Analyzing the body of this spam message

1 Answers1