Many scam emails are painfully obvious to experienced web users. Spelling errors, absurd scenarios, and dubious attachments are usually clear signs of mischief.

In reality, though, not all phishing attempts are so flagrant---and assuming that they are can lead to a false sense of security. Some are so carefully crafted that they are capable of fooling even the most savvy users.

Phishing emails are especially convincing when they abuse some of the advanced techniques we discuss in this article.

When we think of website vulnerabilities, images of large-scale hacks and disastrous data breaches spring to mind. But the most common vulnerabilities are a lot more pedestrian.

They usually don’t result in a complete takeover of a website, but instead give attackers some kind of small win, such as access to some privileged information or the ability to insert a bit of malicious code into a page.

Man uses a laptop in the dark

Certain types of vulnerabilities allow for leveraging a site’s domain to create a URL that seems to originate from the site’s page, but is actually under the control of the hacker.

These “legitimate” URLs are extremely useful to email scammers because they are more likely to bypass filters or escape the notice of victims.

Open Redirects

Websites often have a need to redirect users to some other site (or a different page on the same site) without using a regular link. A redirect URL might take a form like:

            http://vulnerable.com/go.php?url=<some url>
    

This can help companies keep track of important data, but becomes a security issue when anyone can leverage a redirect to create a link to any page on the web.

For example, a scammer could exploit your trust of vulnerable.com to create a link that actually sends you to evil.com:

            http://vulnerable.com/go.php?url=http://evil.com
    

Google search has a variant of this issue. Every link you see in a search result page is actually a redirect from Google that looks something like this:

            https://www.google.com/url?<some parameters>&ved=<some token>&url=<site's url>&usg=<some token>
    

This helps them keep track of clicks for analytics purposes, but also means that any page indexed by Google actually generates a redirect link from Google’s own domain, which could be used for phishing.

In fact, this has already been exploited several times in the wild, but Google apparently doesn’t consider it enough of a vulnerability to remove the redirect functionality.

Cross-Site Scripting

Cross-site scripting (commonly shortened to XSS) occurs when a site doesn’t properly sanitize input from users, allowing hackers to insert malicious JavaScript code.

JavaScript allows you to modify or even completely rewrite the contents of a page.

XSS takes a couple of common forms:

  • Reflected XSS: The malicious code is part of the request to the page. This could take the form of a URL like http://vulnerable.com/message.php?<script src=evil.js></script>
  • Stored XSS: The JavaScript code is stored directly on the site’s own server. In this case, the phishing link may be a totally legitimate URL with nothing suspicious in the address itself.

Related: How Hackers Use Cross-Site Scripting

Don’t Be Fooled

To avoid being tricked by one of these shady links, carefully read the destination URL of any links you come across in your emails, paying special attention to anything that might look like a redirect or JavaScript code.

Laptop email scam

To be fair, this isn’t always easy. Most of us are used to seeing URLs from the sites we visit with a bunch of “junk” tacked on after the domain, and many sites use redirection in their legitimate addresses.

URL encoding is a way of representing characters using the percent sign and a pair of hexadecimal characters, used for characters in URLs that could confuse your browser. For example, / (forward slash) is encoded as %2F.

Consider the following address:

            http://vulnerable.com/%67%6F%2E%70%68%70%3F%75%72%6C%3D%68%74%74%70%3A%2F%2F%65%76%69%6C%2E%63%6F%6D
    

After the URL encoding is decoded, it resolves to:

            http://vulnerable.com/go.php?url=http://evil.com
    

Yes, it’s an open redirect!

There are a couple of ways an attacker could take advantage of this:

  • Some poorly-designed email security filters may not properly decode URLs before scanning them, allowing blatantly malicious links to get through.
  • You as a user can be misled by the strange-looking form of the URL.

The impact depends on how your browser handles links with URL-encoded characters. Currently, Firefox fully decodes all of them in the status bar, which mitigates the problem.

Chrome, on the other hand, only partially decodes them, showing the following in the status bar:

            vulnerable.com/go.php%3Furl%3Dhttp%3A%2F%2Fevil.com
    

This technique can be particularly effective when combined with one of the methods above to generate a malicious link from a trusted domain.

How to avoid being tricked: Again, carefully inspect the URLs of any links you come across in emails, paying special attention to potential URL-encoded characters. Watch out any links with a lot of percent signs in them. If in doubt, you can use a URL decoder to see the true form of the URL.

Advanced Techniques for Bypassing Filters

Some techniques specifically aim to fool email filters and anti-malware software rather than the victims themselves.

Modifying Brand Logos to Bypass Filters

Scammers often impersonate trusted companies by including their logos in phishing emails. To fight this, some security filters will scan the images of any incoming emails and compare them to a database of known company logos.

That works well enough if the image is sent unchanged, but often making a few subtle modifications to the logo is enough to bypass the filter.

Obfuscated Code in Attachments

Screen full of computer code

A good email security system will scan every attachment for viruses or known malware, but it’s often not very difficult to bypass these checks. Code obfuscation is one way to do this: The attacker modifies the malicious code into an elaborate, tangled mess. The output is the same, but the code is hard to decipher.

Here are a few tips to avoid being caught out by these techniques:

  • Don’t automatically trust any images you see in emails.
  • Consider blocking images altogether in your email client.
  • Don’t download attachments unless you absolutely trust the sender.
  • Know that even passing a virus scan doesn’t guarantee that a file is clean.

Related: The Most Secure and Encrypted Email Providers

Phishing Isn’t Going Anywhere

Truth is, it’s not always easy to detect phishing attempts. Spam filters and monitoring software continue to improve, but many malicious emails still slip through the cracks. Even experienced power users could be fooled, especially when an attack involves particularly sophisticated techniques.

But a little awareness goes a long way. By familiarizing yourself with the scammers’ techniques and following good security practices, you can reduce your chances of being a victim.