When attackers are crafting malicious messages, they have two opposing goals.

One is to craft an email that looks like a standard message to the end-user.

The other is to craft an email that looks like gibberish to the email scanner.

The idea is to create a message that appears normal enough to click for the end-user but scrambled enough that the security system doesn’t know what to do with it. 

There are countless ways to do this.

One method that’s making the rounds of late is reversing the text. 

Starting in April 2022, Avanan researchers have seen an uptick in so-called reverse text attacks, whereby the end-user sees a string of normal text while the email scanner sees it in reverse. This allows credential harvesting links to sneak by the scanner and head into the inbox. In this attack brief, Avanan will analyze how hackers are utilizing reverse text to get into the inbox and steal credentials. 

Attack

In this attack, hackers are using some HTML trickery to present reverse text to the security system and normal text to the end-user.  Right-to-left text is normally used for Middle Eastern languages like Hebrew and Arabic; however, hackers are exploiting this text orientation on Latin-based characters.  The goal is to make text obscure during cybersecurity scans.

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Reverse Text
  • Target: Any end-user

Email

In this attack, threat actors are reversing the text on the back end, making it unparseable for the scanner, thus getting into the inbox. 

 

Email Example #1

 

To the end-user, the text looks normal. On the back end, however, switching the direction of the text from the right to the left, confuses email scanners. 

Techniques

For hackers, obfuscation is one of the most reliable ways to get into the inbox. By hiding the true intent of the attack, the malicious email has a much better chance. If the solution can’t “see” the attack, then they can’t stop it.

There are countless ways to do this, and we have written about many in the past. There’s the ZeroFont attack, the OneFont attack; highlighting text in white; the No Display attack; and much more. 

In this attack, the hackers are reversing the text. This has the security system seeing what looks like gibberish. With the Natural Language Processing unable to make sense of it, it seems instead like a normal email.

It looks like a typical email for the end-user with no issues, making it more liable to be clicked on.

This is a particularly clever attack, as it scams both the user and the computer. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Deploy email security that uses multiple factors to identify a malicious email
  • Remind users to exercise caution when seeing password resets or other similar emails