Scam email - What's it trying to do?
Hi there,
I just got a scam email which had 2 parts, the scam (energy company bs), but hidden in the email (only visible in raw view or searches), it has the following:
Obviously hiding the tokens, but what's happening here? Is this just to make Gmail think the email isn't a scam? Is someone actually trying to log in?
Any info about what these links could do (because there's no way in hell I'm clicking them) would be great!
24 Replies
Is this just to make Gmail think the email isn't a scam? Is someone actually trying to log in?i cant answer this part for you with the limited information, id think it would only truly be a legit login if it came from @ cloudflare.com and had fully valid SPF and DKIM signing though.
Any info about what these links could do (because there's no way in hell I'm clicking them) would be great!assuming the tokens are even valid (which is possibly a reach): * the first one verifies an account registered to whatever email the token was sent to, this one you do not want to click if its legit because it will give someone a verified account with what could be your email * the second one is used for when someone registers an account on your email without consent and, again assuming the token is even valid, deletes the account that was created. this one, assuming the token is valid and the link actually leads to its intended destination (check for sneaky unicode characters in domain, etc.), is safe to click
This came through on my secondary email anyway, so no CF account
The thing is that like, the cloudflare part is hidden below other stuff
the email looks like that (which like, clearly a scam)
I find it so weird that they've given an email with dangerous cloudflare links, but they never render
well my point is one might have been created, thus making it potentially dangerous to click
That makes sense, i'm definitely not going anywhere near them links lol
you probably should remove the image btw, because it has the full link visible and any curious person could access it and do the potentially dangerous action
thats fair
the way you screenshotted it though makes me realise why
so there are a few different ways different email clients can interpret an email, either as html or as plain text, these are denoted by the "Part" and "content-type" sections there.
if an email client is html-compatible (most are), it will display the email as the fancy html that you saw.
if it supports text only, it will instead display the cloudflare verification links. maybe its two traps bundled into one, or maybe the bad actor has no idea what theyre doing, who knows
oh actually, nevermind, thats text/html also
but the point stands that they are two separate parts and it depends on how the email client inteprets it, maybe check the content-type of the other
interesting
I do find it weird that Apple's mail app lets you search for "cloudflare" and it comes up, but won't render it in the email
yeah that is weird
maybe theres css to hide it
Actually same in the gmail website
But it has no classes or anything
although it's outside of the whole <html> so maybe thats weird
its in a separate email part entirely
but yeah, weird
But they've gone straight for <p> not <html>
indeed
i dont think theres a great deal of insight you can surmise from this alone, but i would guess its trying to take advantage of some types of mail clients
Fair
I mean I cURL'd the links fro the first part (not cloudflare), and it has a fake "send message" form, loads of placeholder text, and script tags I don't trust
Anyway yeah, I was interested what they were trying to achieve and how dangerous them links were, so thank you!
hard to tell the overall goal sadly
Turns out at the start, there's also an EA section
but it does include this:
(EA > Solar > Cloudflare)
it could still even be possible its what you theorised, trying to avoid spam detection by posing as legit emails
lol
which one is
text/plaincloudflare
ah
so it was what i originally thought then, clients not supporting html will show the cloudflare links
so they list it in 2 different types?
and maybe some spam detections only run on the text part or something, idk
true, yeah
also should I open the unintended registration one?
nvm that page doesnt exist and it just goes to /