Question for you: how willing are you to quickly hit an Unsubscribe button on an unwanted email?
If you’re like most people in IT, who get far too much email, the answer is probably, “EXTREMELY willing.”
In fact, it’s probably an automatic response.
[ Evil Idea Series ] A malware infection campaign that creates legit looking marketing emails, and the malware is at the unsubscribe link.— # Daniel Miessler (@DanielMiessler) June 5, 2016
Why do we care?
If you’re security-minded you already know where this is going.
- We tell people not to click on links in emails.
- We tell people to unsubscribe from unwanted emails.
- What if attackers put the malware in the unsubscribe link?
And it’s true for IT Security people as well. Twitter polls are about the farthest thing from scientific polling, but this is NOT an encouraging response:
When you receive a legit-looking INFOSEC marketing campaign email, do you instantly hit the unsubscribe link?— # Daniel Miessler (@DanielMiessler) June 5, 2016
That’s around 55% of heavily InfoSec people who either constantly or often click unsubscribe links without thinking much about it.
- Dangerous links might not always say, “click here to collect your money.”, or something obvious like that.
- It might be a completely legit looking email (from a vendor you’ve done business with), where the malware link is the unsubscribe.
- If you’re worried about being phished, be a bit more cautious with going straight for the unsubscribe.
- At a minimum, use the functionality in your email client to inspect the unsubscribe link before you follow it.