Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Stupid Spammer Tricks – Reversing Characters

Spammers engaged in phishing attacks constantly try to get their emails past spam filters. They try many different tactics, and these can include taking advantage of HTML coding characteristics. These HTML tricks can make the email look normal when rendered in a mail client, but the actual raw text is completely different. This can let it bypass spam content filters that are looking for the normal text. Here's an example of a normal looking email:

12041_d65bf094-82eb-4fa3-9dae-06ee4b6506b9

This looks like a possibly real email notifying you about a problem with your account ("real", except for the grammatically poor "why you received this email ?"). This is really a phish using the HTML "Right-to-left override" code ( http://www.fileformat.info/info/unicode/char/202e/index.htm ). Here's the raw HTML markup:

8223_1d6cdfc3-4e76-45f3-a5b2-17a1b68dca83

Not too easy to read, is it? The HTML "Right-to-left override" code is "‮". This is intended to be used when writing bidirectional text that combines left-to-right text with right-to-left text, such as Hebrew or Arabic. The phisher in this case uses it to reverse the email text, in an attempt to bypass spam content filters. Note the highlighted text "remotsuc raeD", which is "Dear customer" backwards. The override code causes the text to be printed from right to left. While some content filters might check for generic phrases like "Dear customer", they probably won't be looking for the reverse text. Likewise, "woleb knil eht no kcilc" will probably not get a second look, unlike "click on the link below".

This technique is related to an older use of the "Right-to-left override" code, from back in the Fall of 2011 (http://krebsonsecurity.com/2011/09/right-to-left-override-aids-email-attacks/). It was used then to disguise actual file extensions in filenames attached to emails. An attached file would have a filename that looked like "Invexe.doc", which looks like it's a simple Word document. It would actually have the override character inserted after the 'v', so that the real filename would have the text reversed after that, making the real filename "Invcod.exe", which is actually an executable. Instead of reading a Word document, you would install malware.

If you don't have spam filtering, you can check suspicious emails by reading the raw text to see if tricks like this are employed. To do so in Outlook, you can open the message (without clicking on anything in the body), find a blank spot, right click and choose "View Source". In Mozilla Thunderbird, you can press Ctrl+U to see the raw text. If an email has to use tricks like this to get the email delivered to you, you can be sure it's not legitimate and safely ignore it. Clicking on a link like this without at least doing some minor checking can lead to compromise of your credentials (as in this case) or worse, downloading malware. Being informed can help keep you safe.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo