Philippe Masset

Engineer at Buffer.

Phishing with plain text emails

March 2014

Phishing emails and links

Internet has always been a battle ground between fraudsters and the rest of us.

One of the most common ways of getting personal information out of people themselves is phishing, which is commonly initiated from emails.

It's become common knowledge that fraudsters can craft emails that look like legitimate ones, but instead slip malicious links inside of them:

<!-- You won't land up on Paypal -->
<a href="http://malicious.com">
    https://www.paypal.com/cgi-bin/webscr?cmd=_login
</a>

An excerpt of one such phishing attempt could look like this:

We apologize for any inconvenience this may have caused you and we strongly advise you to update the information you have on file with us. Clicking https://www.paypal.com/cgi-bin/webscr?cmd=_login will prevent any possible future billing problems with your account.

The plain text solution

To circumvent this, companies started sending plain text emails when talking about sensitive matters such as account security and personal information.

The (valid) reasoning behind this decision was that, since the mails were only made up of text, there wouldn't be any links to click on. They could thus start educating their users to never click on links in emails when about to enter personal information. Instead, they would invite them to manually select the portion of text that corresponds to the URL they're asked to follow, and paste it in their browser's address bar.

Such instructions are easy to follow, and shouldn't lead to any surprise – or so you'd think.

Circumventing the plain text limitation

The thing is, it's easy to make an HTML email look like a plain text one: just don't apply any CSS to any of the text.

But it doesn't mean you can't use CSS for stuffing additional text in the mail while keeping its general appearance unchanged.

Here's how a genuine plain text email could look like:

As a measure to make your accounts safer, within the next 24 hours we'll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess. Please go here to change your password now — http://account.leagueoflegends.com/change-password/na/en-us

And here's what the malicious version of the same email would look like:

As a measure to make your accounts safer, within the next 24 hours we'll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess. Please go here to change your password now —
http://malicious.com/malicious-password-form#account.leagueoflegends.com/change-password/na/en-us

It looks like plain text, but it's actually HTML with unstyled text and more text hidden in between: try copying and pasting the links from these two examples and see for yourself.

Have a look at the source of that malicious plain text-looking email; there really is nothing fancy to it apart from an almost-invisible text container:

As a measure to make your accounts safer, within the next
24 hours we'll require players with accounts in North America
to change their passwords to stronger ones that are much
harder to guess. Please go here to change your password
now — http://
<span style="display: inline-block; width: 1px; max-height: 1px; margin-left: -1px; overflow: hidden;">
    malicious.com/malicious-password-form#
</span>
account.leagueoflegends.com/change-password/na/en-us

(Whitespace has been added for the above code to be more legible. See the source of the example right above for a working example.)

This malicious email has been successfully tested with the following email clients: Thunderbird, Gmail.com, Gmail Android application, Outlook.com, and Yahoo Mail. (The latter four strip the margin property out, making the subterfuge slightly visible – although probably not visible enough for it to be noticed by the unsavvy.)

Fixing that security issue

Some email providers already provide their users with a "plain text mode" that simply defaults to displaying all emails as plain text [1] instead of HTML. While disabling HTML in every email is a foolproof way of getting rid of HTML-related security issues, one might find it difficult to part with animated gifs in his emails – I certainly would. In addition, most email clients just don't allow "plain text" to be the default choice for viewing emails.

If disabling HTML altogether isn't an option, two alternative solutions come to mind.

1. Prevent the selection of hidden text

In the same way browsers don't allow the contents of a hidden element to be selected, an element that's too small for all its contents to be visible shouldn't be able to be selected entirely.

Maybe only the visible part of its contents should be selectable, making the 1×1 pixel <span> in the malicious email example above inoperative.

2. Secure links within text fields

Just as companies have switched from HTML links to plain text ones in the past, they could adopt a new way of displaying links safely in emails.

Text fields could be such an alternative – there's no way to hide text in these, at least to my knowledge. The only downside to this would be having to re-educate users into not clicking on links nor selecting them if not displayed inside of a text field.

Using this technique, links in the email below would be – without a doubt – safe to follow:

As a measure to make your accounts safer, within the next 24 hours we'll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess. Please copy the following link and paste it in your browser's address bar to change your password now —

What are your thoughts on this issue, and what other solution can you imagine? Discuss on Hacker News or Reddit.