Obfuscated Links in emails using JavaScript

Our spam traps started to receive a bunch of Phishing emails like the one below, having no link inside. We know many tricks how to hide the URL (JavaScript, form, etc.) but this one was new: Pretending to be an invoice in HTML format, the attached HTML document displays the same content as in the mail body and immediately redirects to the fake website.

The email looks quite usual for spam or Phishing on first sight, but the interesting part comes after analysing the attached HTML document. The document contains, inside the row of a table, a piece of obfuscated JavaScript code.

In simple terms, the JavaScript code uses the property of each document called “location” to redirect the web browser to the fake website.

The first idea coming to mind is that almost no modern email client executes JavaScript when rendering an HTML document. However, even if the email client (Outlook, Windows Mail, Thunderbird, etc.) doesn’t execute the script, the web browsers does. As soon as the user opens the attachment with a double click, the web browser opens it an gets immediately redirected to the fake website.

The website wasn’t available anymore when we started to analyze the emails.

Update:

Virus Bulletin, the maintainer of the “Spammer’s Compendium” has accepted to officially register and publish this new method under the name “The Responsibility Transfer”. For more details please visit http://www.virusbtn.com/resources/spammerscompendium/responsibility.xml

Sorin Mustaca
Data Security Expert