Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Specific MacOSX/Mail security question....

Specific MacOSX/Mail security question....
Thread Tools
Hawkeye_a
Addicted to MacNN
Join Date: Apr 2000
Status: Offline
Reply With Quote
Feb 22, 2013, 08:14 PM
 
I got a question regarding a bogus email I received. (I know it's bogus because I had used a different email to register for the service). So this is obviously someone else masquerading as the service....

There are links in the email. I didn't click on any of them, but i was hovering over one of them to check out what the link is. MacOSX Mail started loading the "preview" of the link for some reason in a 'comic bubble'. I immediately quit Mail.

Is there any hard that could have been done to my machine via Mail attempting to load the link in the email? I'm not sure what sort of things can be accessed or changed via webpage? If someone could shed some light on this sort of it, it would be much appreciated.

I already know to not install anything, or goto a link in suspicious emails and enter any login credentials,etc. But i was wondering if simply loading a webpage could do any harm?

Cheers
     
tightsocks
Mac Enthusiast
Join Date: Feb 2005
Status: Offline
Reply With Quote
Feb 22, 2013, 08:33 PM
 
Originally Posted by Hawkeye_a View Post
But i was wondering if simply loading a webpage could do any harm?
I'm sure others will say a definitive, 'No.'
But I would say that we just don't know.

It is certainly conceivable that a bug with a 0day exploit exists in the way that Mail displays website previews and that the page that was shown contains exploit code.
It it likely - probably not.
DId it actually happen that the previewed site had such exploit code - there is no way to know.
     
Hawkeye_a  (op)
Addicted to MacNN
Join Date: Apr 2000
Status: Offline
Reply With Quote
Feb 22, 2013, 08:49 PM
 
For the sake of information, lets assume the worst.

What could be the result? Put another way, what could they do? How does one detect it?
     
tightsocks
Mac Enthusiast
Join Date: Feb 2005
Status: Offline
Reply With Quote
Feb 22, 2013, 11:25 PM
 
Originally Posted by Hawkeye_a View Post
For the sake of information, lets assume the worst.

What could be the result?
Arbitrary code execution - Wikipedia, the free encyclopedia

Put another way, what could they do?
Anything.

How does one detect it?
I guess you could run a virus scanner, although depending on if the resulting malware is known or not it may not be detected.
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Feb 23, 2013, 01:54 AM
 
Go into your Mail preferences and turn off preview loading. Under the Viewing pref tab, you can turn off Display of Remote Images. You're using a later version of Mail than I have, so I don't know where the option is to turn off link previews, but there will be one somewhere.

If there's an undiscovered bug in Mail, preview-loading could result in arbitrary code execution. This is unlikely, and you quit Mail immediately (the correct move if that were happening). So I'd rate this as very unlikely.

However - if the link contains a unique variable, then loading it confirms your email address with the spammers. And gives them your current IP address at time of previewing. This might give them an approximate physical location (nearest city).

If you turn off previewing in Mail prefs, then you can hover over the link again and check for variables after the main link address.

Assuming a unique variable is present, the most likely consequences: more spam. And possibly targeted based on your geographic location. If people are buying more cars or bedtime meds in your area, you may get more ads for those products. If escorts are popular in the nearest city, you may get offers and pictures of employees. Etc.
     
Hawkeye_a  (op)
Addicted to MacNN
Join Date: Apr 2000
Status: Offline
Reply With Quote
Feb 23, 2013, 02:07 AM
 
Originally Posted by reader50 View Post
Go into your Mail preferences and turn off preview loading. Under the Viewing pref tab, you can turn off Display of Remote Images. You're using a later version of Mail than I have, so I don't know where the option is to turn off link previews, but there will be one somewhere.

If there's an undiscovered bug in Mail, preview-loading could result in arbitrary code execution. This is unlikely, and you quit Mail immediately (the correct move if that were happening). So I'd rate this as very unlikely.

However - if the link contains a unique variable, then loading it confirms your email address with the spammers. And gives them your current IP address at time of previewing. This might give them an approximate physical location (nearest city).

If you turn off previewing in Mail prefs, then you can hover over the link again and check for variables after the main link address.

Assuming a unique variable is present, the most likely consequences: more spam. And possibly targeted based on your geographic location. If people are buying more cars or bedtime meds in your area, you may get more ads for those products. If escorts are popular in the nearest city, you may get offers and pictures of employees. Etc.
Thanks for your reply and detailed explanation, I really appreciate it. It did have a unique identifier in the querystring of the link (my email id), and i have received another email from them already.

Im looking for that preference in Mail right now. I didn't even know Mail had the ability to load previews of links, which is extremely frustrating and quite frankly an unwanted security risk.

Cheers for the info.
     
Waragainstsleep
Posting Junkie
Join Date: Mar 2004
Location: UK
Status: Offline
Reply With Quote
Feb 23, 2013, 03:49 PM
 
You say this link was masquerading as a service you are signed up with already. Presumably a well-known service. Most likely explanation is that this was a phishing attack which don't generally make much use of running code locally or even of known bugs or exploits. The vast, vast majority of phishing attacks are more like social engineering. Their aim is to trick you into handing over your username and password to a well-known service of which you are already a member. In terms of gain for the phishers, the best sites to spoof are financial. Your bank or Paypal probably being top of their lists. After those they are really just relying on you using the same credentials for all the sites you use so they get one password from you and then they can try it financial sites where they can steal your bank details, empty your accounts or spend on your credit cards.

Its certainly possible that some kind of exploit or Malware can be triggered by loading a page inadvertently but if you have Mountain Lion, the default security setting won't install anything that doesn't come from a trusted (App Store) developer which rules out a lot of malware. There is also the fact that most malware is still built for Windows and won't work on your Mac anyway. We include the possibilities of your machine being added to a botnet, or infected with a keystroke logger for the sake of completeness, but the chances are very, very slim. If you're worried grab one of the free AV apps from the App Store and scan your system for peace of mind but I don't think you have a lot to worry about.
I have plenty of more important things to do, if only I could bring myself to do them....
     
Waragainstsleep
Posting Junkie
Join Date: Mar 2004
Location: UK
Status: Offline
Reply With Quote
Feb 23, 2013, 04:23 PM
 
Oddly I can't find out how to turn that preview feature on in my copy of Mail. You can turn remote html images off under the viewing preferences but I can't find anything about full page previews.
I have plenty of more important things to do, if only I could bring myself to do them....
     
Hawkeye_a  (op)
Addicted to MacNN
Join Date: Apr 2000
Status: Offline
Reply With Quote
Feb 23, 2013, 06:14 PM
 
It was a phishing attempt. I am running Lion. Being added to a botnet or having a key logger running is the sort of thing which worries me, especially the latter. Is it even possible to install that sort of thing covertly by visiting a webpage?

I've taken an extra precaution of attaching a change-event script to the LaunchDaemon and LaunchAgent folders on my system, and even locking the user LaunchAgent folder. Presumably (and maybe you can shed some light onto this), if there was some malware, it would have to be launched from a link in one of those folder(s) on startup/login. So unless those malware deamons are auto launched, it should be safer? (essentially preventing the 'client' malware from launching and communicating with the server?)
     
Hawkeye_a  (op)
Addicted to MacNN
Join Date: Apr 2000
Status: Offline
Reply With Quote
Feb 23, 2013, 06:15 PM
 
Originally Posted by Waragainstsleep View Post
Oddly I can't find out how to turn that preview feature on in my copy of Mail. You can turn remote html images off under the viewing preferences but I can't find anything about full page previews.
I couldn't find anything to turn off previews, so i turned off the html images thing and switched it to classic view, so no email opens unless i double click on it.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 07:43 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,