Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Spoofed <a> HTML tags

Created: 15 Jan 2013 • Updated: 15 Jan 2013

We see a lot of malicious linked disguised as legitimate by abusing the <a> tag. Someone will craft a link that will display as a full link but will really go somewhere else.  There can be no proper use for displaying a fully compliant URI and having the href go somewhere else.

example (extra spaces in the tags to try and get them not to render)

< a href=hxxp://malicious.site/virus.exe>hxxp://google.com</a >

By displaying a valid link and using the href to go somewhere else we see a lot of virus activity.  In many cases it's a new virus SEP doesn't know about yet.  We find ourselves submitting 3 or 4 binaries a week this way and in the meantime cleaning up new infections.

We need the gateway to parse the html part of messages do do something like:

urlRegex = (?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'".,<>?«»“”‘’]))

(http://daringfireball.net/2010/07/improved_regex_for_matching_urls)

spoofURLRegex = '<a href=\"$urlRegex\">$urlRegex</a>'

if spoofURLRegex.match(email.htmlpart):

verdict = spam

 

Obviously real code would have to be much more complex and actually parse html.  You can see in the example below the inner html has font and underline tags to force the link to be the correct colour.

something like:

links = getElementsByTagName('a')

for link in links:

if link.innerHTML matches URLRegex AND link.outerHTML matches URLRegex:

verdict = spam

Does anyone else experience this often?  Have you come up with good strategies to combat it?

Example from this week:

 
< a href=hxxp://www.ttisupport.com/c2c/complaint34281.zip>< font size=3 color=blue face="Arial">< u>hxxps://ftc.gov/ftc/complaints/download.aspx?complaint_id=34281</u></font></a>
Discussion Filed Under: