Phishers are doing their homework. The conventional way is to ask users to update their accounts by asking them to click a certain link. A phishing email usually displays legitimate URL or a hyperlink. Upon clicking, the user will be redirected to the phishing Web site.
But now, there’s no URL seen in new phishing email samples we’ve discovered. They display instead a legitimate email address. This is to trick users that the recipient of the user name and password they will send is a legitimate user, but looking at the source code of the mail, it would go to an individual email address, the phisher’s. Here are screenshots of no URL phishing email messages:
Figure 1. Spam sample scaring users into “upgrading” their Earthlink accounts in order to avoid closure.
Figure 2. Source code of the same spam mail in Figure 1 shows that any replies sent is actually sent to the phisher’s email address. The email address in the source code is not the email address earlier.
Another variety of the no URL phishing email is the technique of displaying the actual form to fill up while hiding the recipient or the phisher’s email address. Here are two other sample email messages:
Figure 3. Spam sample asking the user to verify their email accounts immediately by providing certain required information.
Figure 4. Source code of the same spam mail in Figure 3 shows that any replies sent is actually sent to the phisher’s email address.
They seem to have discovered a way to allow their email to slip through typical URL scanning efforts (since there are no URLs to scan). However, Trend Micro users are covered by the Smart Protection Network, which blocks email messages like these by analyzing the body of the email. Furhtermore, this type of phishing attack is already detected by our antispam patterns.