There is no progress here
On the contrary: Feels like we're going backwards.
Spammers are writing emails backwards in an attempt to sneak past spam filters, security researcher Brian Bebeau has found. The pests were using left-to-right override code intended to facilitate the use of bi-direction text, such as a document that included English and Hebrew. The Trustwave researcher said the tactic had a …
For the love of God, don't give the shitheads that do this any ideas. I say this because your headline text is not only backwards, it is also upside down. That or I'm finally losing my mind.
Anyway, my point is if server side anti-phishing filters can't reliably figure out backwards writing, they'll never cope with backward AND upside down text.
Not just the b, all the letters are normal (left to right) it's just the spelling that is reversed. In any event any spam that comes through with any quantity of abnormal text of whatever type is getting binned. How hard can it be to throw a spell checker into the filter bin? There must be something that catches misspellings like v1agra, etc. as I haven't seen one of those in quite a while. I don't remember what client I was using way back in the day but one of the filters was font color1 so a reasonable dictionary filter should catch a good deal of this and most 419 scams as well.
1. Which worked nearly perfectly until certain family members who shall go unnamed decided that all the new html/rich text effects were too cool to not use and I had to do tricks to filter based on the amount of colorful text. Eventually known family email address had to be whitelisted but they got an autoreply of alternating #ffe080 and #c0e080 text on a #8fff00 background. Most stopped shortly after that but one thought it was fun. </facepalm>
No, no, no.
What you don't do on your CV is draw attention to the fact that you'll be able to read potentially confidential material that the boss may sometimes have on his desk.
Well, not unless you're using psychic paper for the CV and can update it on the fly...
"One of my abilities is to read mirrored, upside down or rotated text. Which is how I know that text message you've just glanced at before leaving your phone on your desk is from your mistress, making interesting suggestions about your rendezvous tonight - but rest assured that your wife will never find out if you give me the job..."
" I say this because your headline text is not only backwards, it is also upside down."
It was indeed a combination of the two. Which could also be simply referred to as "rotated".
Except the B, as James 51 pointed out. I can usually read mirrored/rotated text without problem (provided my slowly deteriorating eyesight can make it out on someone's desk to start with, which it used to be able to, but not so well these days) - but, while I could read the word "Backwards" with no real difficulty, that B threw me. It didn't look right at all, and I just couldn't see why, until I read James' comment.
It was indeed a combination of the two. Which could also be simply referred to as "rotated".
More on this in Rotations, Quaternions, and Double Groups by Simon L. Altmann (1986)
Phishers had also applied the tactic to sections of filenames in order to obfuscate the extension and slip malware past scanners. This meant 'PAYLOADexe.doc' would become PAYLOADcod.exe.
I call bullshit on that one, most mail servers I have used block .exe attachments as a matter of course, so a spammer is hardly likely to rename a .doc to a .exe.
However any mail scanner worth anything is going to actually scan the file to find out what the content is rather than relying on the extension.
Probably, but I remember an attempt to send a file called "example.com", which contained a textual dump of a DNS zone and was sent with a MIME type in the header of application/text, being bounced by Outlook as it was an executable (because of the .com extension).
Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension.
What is this reporting ?
The virus scanners learned it the hard way when viri-writers were sending scr files around the intertubes back in the late 90's.
Yes, on Windows screensavers are executables, I know it is completely ff'd up, but no, we cannot say anything coz this forum is full of window cleaners. Rename the extension of any 32-bit/64-bit executable on windows to .com, .scr, or .exe and it will still run ...
"Virus scanners detect the first bytes of a file and, when this contains MZ (amongst others, MZ means executable), will block the attachment ... regardless of the extension."
Which is why many malware payloads are .zips - and because zips are now widely scanned they've recently resorted to ARJ archives (presumably they'll move to other ancient compression formats later)
I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message such that computers aren't likely to make it out correctly. Furthermore, encrypted ZIPs can't be blocked out of hand since they may actually be legitimate correspondence from a coworker (which makes a spear-fishing encrypted ZIP even more plausible).
I thought they already moved on to encrypted ZIP archives which can't be extracted by automation since the password to decrypt them is hidden carefully in the text of the message
Surely there comes a point at which the usual tech-illiterate victims of email malware become unable to actually open the payload?
People fall for 419 scams.
People believe that the person who has just rung them up about their machine being full of viruses is in fact a bona fida Microsoft employee.
People believe that that link which will get them a free copy of a game that normally sells for a couple of dollars will actually get them the game and the game only.
Never underestimate the human capacity to do something completely... stupid.
"Who in their right mind is going to click on a link in something that they can't read?"
Quite a few people if you preface the link with "Free Phone/tits/games/celebrity tits/money/sluts."
Now if someone were to come up with a game where you win money, women, new phones, or pictures of nude celebrities by navigating a pixellated bird between obstacles, we're all screwed...
Problem is, people stupid enough to fall for phishing mails are not likely to be deterred by an additional oddity here and there. They'll just assume "someone made a typo" and laugh at the stupid bank while providing their email, username, password, PIN, height, weight, eyecolor, ring size, what they ate that morning and when they last took a crap.
My point being: Stupid people will be stupid.
This post has been deleted by its author
The point is the text in the email is written backwards (so scanners don't see normal keywords), but the text is wrapped in a block that tails the browser/email client that the text should be rendered right-to-left, so when it is displayed it looks normal to you, so something like (tags made up, not part of any standard I am aware of):
In the message
<encoding:ltr>!yenom dneS</encoding>
But on your screen:
Send money!
I suspect it might work here:
Let's say I write a message reporp eht sniatnoc ti fo emos dna unicode control codes.
There. Now copy/paste the sentence in bold in a terminal or a dumb text editor, and you will have a surprise.
EDIT: Emacs displays the same text, but vi displays something else.
I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too.
I think the attachment/link example is made up.
"I'm still puzzled about the allegedly disguised filename. The story is that the text is reversed so the scanner won't pick it up, but the display presents it in such a way that it reads normally. When you click on a link or a filename it doesn't matter what it looks like, the thing that is executed is whatever is in the text, and that's what the scanner will see too."
The example in the article is erroneous, but the idea is that the filename is written backwards, too. Think "txt.setoN gniteeM evituc.exE". This is actually a program (which could contain a zero-day privilege escalation rootkit or such), but if it's displayed in a RTL mode, the displayed name gets reversed and now appears to be "Exe.cutive Meeting Notes.txt", making it look like an innocuous text file. See where this is going? Combine this with spear phishing, and the whole thing could be believable enough to click to open.
But wouldn't that still raise a red flag since that ALSO means the text becomes right-aligned? The standard approach is to align e-mail and common text to the same side as the start of the text, is it not? Thus English starts on the left while Hebrew, Arabic, etc. start on the right.