Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block.
A similar technique is to encode the attack within a
mailto URL, because anti-phishing scanners and email clients rarely apply reputation intelligence to the addressee of outbound email.
In this attack, the phisher’s lure email contains a link which points at a URL that uses the
mailto: scheme to construct a reply email:
A victim who falls for this attack and clicks the link will find that their email client opens with a new message with a subject of the attacker’s choice, addressed to the attacker, possibly containing pre-populated body text that requests personal information. Alternatively, the user might just respond by sending a message saying “Hey, please protect me” or the like, and the attacker, upon receipt of the reply email, can then socially-engineer personal information out of the victim in subsequent replies.
The even lazier variant of this attack is to simply email the victim directly and request that they provide all of their personal information in a reply:
While this version of the attack feels even less believable, victims still fall for the scam, and there are even logical reasons for scammers to target only the most credulous victims.
Notably, while mail-based attacks might solicit the user’s credentials information, they might not even bother, instead directly asking for other monetizable information like credit card or banking numbers.