SA Bugzilla – Bug 4147
Uncaught phish trick using broken OE logic
Last modified: 2005-07-16 03:04:12 UTC
There are some that might say that SA isn't a phishhook, but phish are most often spam, and this case I'm about the describe is one of the few things in the attached mail that can catch it. It relies on what I suspect is a bug in OE for effect. Briefly, the mail has a valid href to a secure site. This is followed by an empty table to obscure the fact that the table is followed by an href to an unsecure phish site. This href is then followed by the link text and the SINGLE </a> in the message. OE will display the first link in the status bar, but will take the second link when clicked. This gets around having to use the 'on mouseover' trick to paste a fake site name into the status bar to obscure the real link. The obvious thing to check for here is an href following a previous unterminated href. One could also check for the first link being secure and the second link being either unsecure or numeric. This case would also be succeptable to a tag balance check (which is not being performed), but I would hope to be able to give this specific case more weight than a normal tag balance check should give. Thus it should be a more specific test.
Created attachment 2661 [details] Phishing email with creatively broken hrefs
Loren, between us we should be able to put together a test rule which would either do this work, or at least get close enough to give the devs a good starting point. Do you have anything already in the works?
#nasty little piranha, bad phish! # new spammer trick, overlay an unterminated href with a second one, then terminate # only the second one. OE shows the text for the first link and goes to the second link! full LW_PHISH_5 m'<a\s+[\s\w\=\.]*href=\"https://[^>] {0,300}><table><tr><td><a\s+[\s\w\=\.]*href=\"(?:http:|https://\d)'is score LW_PHISH_5 2 describe LW_PHISH_5 unterminated secure href In case the rule text wraps badly, there are no spaces in it. I don't know that I have any results for the above rule, but I'm pretty sure that I validated that it worked when I wrote it. I also haven't noticed if this has hit recently; it may be stale. Most phish score pretty high here these days, so I usually don't look at them.
Interesting. A search on my last month's spam shows no hits either. Perhaps this was a short-lived thing and the spammers have moved on. At the time I wrote it, it was catching 5-8 a day out of a total spam load of a couple hundred a day.
Below are three rules developed by Loren and Bob. First is in 70_sare_obfu0.cf, third is in 70_sare_obfu1.cf, and second will be in next release of obfu0. Too late, and not enough benefit, to get these into 3.1.0, but anyone who wants them can copy them from this entry or use the SARE rules files. If the S/O and counts improve over time, we'll submit them for 3.2.0. (No objection if anyone else can find ways to improve on these, or even replace them with something better.) rawbody __SARE_OBFU_SPLIT_HR1A /href=\"[^"]*\r[^\n]/is full __SARE_OBFU_SPLIT_HR1B /href=\"[^"]*\r[^\n]/is meta SARE_OBFU_SPLIT_HR1 __SARE_OBFU_SPLIT_HR1A || __SARE_OBFU_SPLIT_HR1B score SARE_OBFU_SPLIT_HR1 1.666 #stype SARE_OBFU_SPLIT_HR1 obfu describe SARE_OBFU_SPLIT_HR1 unescaped cr in uri #hist SARE_OBFU_SPLIT_HR1 Loren Wilton #counts SARE_OBFU_SPLIT_HR1 35s/0h of 260791 corpus (115716s/145075h RM) 05/25/05 #max SARE_OBFU_SPLIT_HR1 49s/0h of 292007 corpus (122219s/169788h RM) 04/27/05 #counts SARE_OBFU_SPLIT_HR1 0s/0h of 10870 corpus (6385s/4485h CT) 05/15/05 #counts SARE_OBFU_SPLIT_HR1 7s/0h of 4677 corpus (810s/3867h ft) 05/28/05 #counts SARE_OBFU_SPLIT_HR1 352s/0h of 47845 corpus (43810s/4035h MY) 05/28/05 full SARE_OBFU_SPLIT_REDIR m'/(?:(?!https?://)h.?t.?t.?p.?:.?/.?/)'i describe SARE_OBFU_SPLIT_REDIR gappy redirect score SARE_OBFU_SPLIT_REDIR 1.666 #stype SARE_OBFU_SPLIT_REDIR obfu #hist SARE_OBFU_SPLIT_REDIR Bob Menschel, June 16 2005 #counts SARE_OBFU_SPLIT_REDIR 3s/0h of 267372 corpus (127006s/140366h RM) 06/19/05 rawbody __SARE_OBFU_SPLIT_HR2A /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is full __SARE_OBFU_SPLIT_HR2B /href\s{0,5}=\s{0,5}"[^"]{0,15}[\r\n]/is meta SARE_OBFU_SPLIT_HR2 __SARE_OBFU_SPLIT_HR2A || __SARE_OBFU_SPLIT_HR2B score SARE_OBFU_SPLIT_HR2 1.023 describe SARE_OBFU_SPLIT_HR2 unescaped cr in uri #counts SARE_OBFU_SPLIT_HR2 4893s/46h of 261031 corpus (115925s/145106h RM) 05/29/05 #max SARE_OBFU_SPLIT_HR2 4930s/59h of 263078 corpus (112438s/150640h RM) 05/16/05 #counts SARE_OBFU_SPLIT_HR2 2s/0h of 10870 corpus (6385s/4485h CT) 05/15/05 #counts SARE_OBFU_SPLIT_HR2 6s/2h of 4677 corpus (810s/3867h ft) 05/28/05 #counts SARE_OBFU_SPLIT_HR2 328s/15h of 47845 corpus (43810s/4035h MY) 05/28/05