“A nearly impenetrable thicket of geekitude…”

Neci Feihsi

I got an interesting phish in today’s e-mail. Here’s how it looked in Thunderbird:

Dera Baalcrys Membre,

Tsih eamil was setn by the Braclays svreer
to verify yoru eiaml addrsse.

…and so on. My initial fears that the bad guys have finally lost it and just given up were allayed when I looked at the actual source of the message:

Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
De‮ra‬ Ba‮alcr‬ys

What is going on here? The message body is an attempt at Unicode. Code point 8238 is “right-to-left override”; code point 8236 is “pop directional formatting”. The sections contained within the “‮‬” groups are therefore supposed to be printed backwards.

How delightfully creative. Except that the message is marked as being encoded in ISO-8859-1, which doesn’t contain those code points. All the cleverness (probably aimed at some mail program that accepts the invalid code points) was ignored, leaving gibberish. The good news is that even if they fix that, the presence of “‮” in e-mail is going to be a pretty good indicator of something phishy going on.