An interesting phish got missed by one of my spam filters (these days I’m using Mail.app’s filter (LSA-based), BrightMail (hybrid), and CRM114 (SBPH/Markovian), with Procmail doing the sorting):
It was pretty obviously a phish, but Mail.app’s HTML rendering (it loaded the map even w/ images turned off?) and the nested encoded image-map url within proper link is pretty clever:
<lt;A HREF="https://web.da-us.citibank.com/signin/scripts/Iogin2/user_setup.jsp"><lt;map name="FPMap0"><lt;area coords="0, 0, 610, 275" shape="rect" href="http://%31%34%38%2E%32%34%34%2E%39%33%2E%39:%34%39%30%33/%63%69%74/%69%6E%64%65%78%2E%68%74%6D"><lt;/map><lt;img SRC="cid:part1.04000408.00060006@users-billing17@citibank.com" border="0" usemap="#FPMap0"><lt;/A>
Too bad Mail.app doesn’t have a show-only text option. Maybe it’s time to up the mime defanging in procmail.
Useful:
- JavaScript text escaping/unescaping
- Sam Spade for finding the darknet IP (Australian) and the website IP/ISP (Mexican)