Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Spoofed <a> HTML tags

Created: 15 Jan 2013

We see a lot of malicious linked disguised as legitimate by abusing the <a> tag.  Someone will craft a link that will display as a full link bu will really go somewhere else.

example (extra spaces in the tags to try and get them not to render)

< a href=hxxp://malicious.site/virus.exe>hxxp://google.com</a >

By displaying a valid link and using the href to go somewhere else we see a lot of virus activity.  In many cases it's a new virus SEP doesn't know about yet.  We find ourselves submitting 3 or 4 binaries a week this way and in the meantime cleaning up new infections.

We need the gateway to parse the html part of messages do do something like:

urlRegex = (?i)\b((?:[a-z][\w-]+:(?:/{1,3}|[a-z0-9%])|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:'".,<>?«»“”‘’]))

(http://daringfireball.net/2010/07/improved_regex_for_matching_urls)

spoofURLRegex = '<a href=\"$urlRegex\">$urlRegex</a>

if spoofURLRegex.match(email.htmlpart):

verdict = spam

Does anyone else experience this often?  Have you come up with good strategies to combat it?

Discussion Filed Under: