In recent times, many users (including editors of Genbeta) who have perceived exponential growth of spam in Gmail… Specifically spam that Google’s praised email spam filters don’t seem to be able to detect and filter.
And even worse: normally, this kind of spam that ends up landing in our Inbox they tend to be scams related to the shipment of packages. But how do they do it?
A thread explains how spammers get around Gmail’s spam filters
Sergio de los Santos, director of the Cybersecurity Innovation and Laboratory area at Telefónica Digital, has shared a thread on Twitterr explaining some of the technical details of what is nothing but a very well crafted phishing operation.
De los Santos explains that the domains used to send these emails are all relatively recent, and that the websites they contain share a “like mailing list” aspect, as they offer a single-field form and a “Unsubscribe“, although they encourage you to” submit your application “, not to share your email address.
But the most interesting thing is both the header and the body of the spam email itself. In the first, “it looks something like ‘Received: from http://parmaxiz.org.uk (127.0.0.1)‘ what seems to indicate that the mail has originated directly from those domains“.
Then, in the body, they insert an apparently legitimate text in English, typical of a purchase confirmation or a password reminder … but with the HTML code arranged in such a way that the user never sees said text (in the example below, because it is inserted as a label title).
Base64 code is “useless”, as de los Santos points out, with no other function than to simulate encrypted files “to pass the filters”.
But, if that HTML code is not that of the text that we later visualize in the email, where does it come from? Easy: from a PNG file. A PNG file that is repeated, as shown in the thread, on various websites that are very similar to each other.
A bot with the Correos logo to round off the scam
But what happens when we click on that image, as the email prompts us? What se redirects us to a very hard-working bot that interacts with us in Spanish, telling us that they have a package in their offices (they enclose a photo and everything) in which our address is not visible.
So they ask us to give our data and to we pay the shipping costs, providing the payment details of our credit card. With such a professional bot, decorated with the Correos logo and everything, it is certainly not difficult for many users to end up falling for the deception.
Video | Sergio de los Santos (via Twitter)