Email Link Spoofing: Why Bots Do It & How to Stop Them

TL;DR

Bots are trying to trick people by making encoded email links look legitimate. They do this to spread spam, phishing attacks, and malware. We’ll cover why they do it, how to spot these fake links, and what you can do to protect yourself.

Why Bots Spoof Email Links

Bots automate tasks, including sending lots of emails with malicious links. They use encoded links (like those using URL shortening services or base64 encoding) for a few reasons:

• Bypass filters: Many spam filters block known bad URLs. Encoding hides the true destination until the link is clicked.
• Obfuscation: It makes it harder to see where the link actually goes, increasing the chance someone will click it.
• Track clicks: Shortened links allow bots to track how many people are clicking on them, helping refine their attacks.

The goal is usually one of these:

• Phishing: Stealing usernames, passwords, or financial information by directing you to a fake login page.
• Malware distribution: Downloading viruses or other harmful software onto your computer.
• Spam: Sending unwanted advertisements or promotional material.

How Bots Encode Links

Here are some common methods bots use to encode links:

• URL Shorteners (Bitly, TinyURL): These services create a short link that redirects to the real URL.

  Original URL: https://example.com/malicious-page
  Shortened URL: bit.ly/2XyZabc

• Base64 Encoding: Converts text into a string of characters, making it unreadable without decoding.

  Original URL: https://example.com/malicious-page
  Encoded URL: aHR0cHM6Ly9leGFtcGxlLmNvbS9tYWxpY2lvcy1wYWdl

• HTML Encoding: Uses HTML entities to represent characters in the URL.

  Original URL: https://example.com/malicious-page?param=value&another=other
  Encoded URL: https://example.com/malicious-page?param=value&another=other

How to Spot Spoofed Links

1. Hover Before Clicking: Hover your mouse over the link (without clicking) to see the actual URL in the browser’s status bar. Look for anything suspicious.
2. Check the Domain: Does the domain name match the sender? Typosquatting (e.g., examp1e.com instead of example.com) is common.
3. Be Wary of Shortened URLs: Use a URL expander service (like Unshorten.it) to see the real destination before clicking.
4. Look for Unusual Characters: HTML encoding or strange characters in the URL can be a red flag.
5. Trust Your Gut: If something feels off, it probably is. Don’t click the link!

Protecting Yourself

1. Email Security Software: Use an email provider with strong spam and phishing filters (e.g., Gmail, Outlook).
2. Anti-Virus/Malware Protection: Keep your anti-virus software up to date.
3. Two-Factor Authentication (2FA): Enable 2FA on important accounts for an extra layer of security.
4. Be Careful with Attachments: Don’t open attachments from unknown senders.
5. Report Suspicious Emails: Report phishing attempts to your email provider and relevant authorities (like the Action Fraud in the UK).

Decoding Base64 Links

If you encounter a base64 encoded link, you can decode it using online tools or command-line utilities.

• Online Decoder: Use a website like Base64 Decode.
• Command Line (Linux/macOS):

  echo "aHR0cHM6Ly9leGFtcGxlLmNvbS9tYWxpY2lvcy1wYWdl" | base64 -d