Website Sign-Ups Hijacked by Email Spammers

John Lister's picture

Scammers have found a creative way to bypass spam filters, effectively tricking legitimate sites into sending the message on their behalf. It's a reminder that human skepticism is always a key part of cyber security.

The new scam was spotted by Sam Cook of Comparitech who spotted something amiss in an email from the British Newspaper "Archive," - a perfectly legitimate organization.

The scam email asked him to confirm his email address for registering an account with the site. The problem there was that Cook hadn't attempted to register. In fact, this was the first time he ever heard of the site.

Fake Name Included Website Link

On closer examination, the email notification included an obfuscated hyperlink immediately next to the recipients name - rather than further down the message, which is typically used to validate a sign-up request.

In this case the link didn't actually lead to anything, but could easily have pointed to a "drive-by download site," which attempts to automatically download malicious files to a machine once a connection is made.

Another tactic would be to direct the user to a site that was designed to resemble the organization in question, which then tries to trick people into handing over personal details.

It turned out that the British Newspaper "Archive" hadn't been hacked, but the email message really had come from their servers. The scammers had simply pretended to sign up using Cook's email address (presumably scraped from a data breach); along with the email, scammers included a fake name and link as part of the input. Instead of refusing malformed input on the form fields (like most secure websites do), British Newspaper "Archive" accepted the input and then sent the message on behalf of the scammers.

The point of the attack seems to be to get round spam filters. Generally these use a variety of signals to spot and block suspicious messages, such as shady-looking content. However, many try to avoid mistakenly blocking genuine messages.

Sites Will Need To Fix Loophole

Chances are that most users would be suspicious when they get a confirmation email from a site they didn't sign up to, and that most of those who spot anything amiss won't click on dubious looking links.

As with most email based scams, it's a numbers game. Because automation makes it easy and cheap to attempt the scam millions of times, even a tiny success rate could make the exercise worthwhile.

The only way this tactic can be cut off is for websites to configure their sign up form to block "names" or other submitted information that contains a link - something many already do. In the meantime, it's always worth thinking twice about clicking on any link in an email, even if it comes from a reliable source. (Source:

What's Your Opinion?

Are you surprised websites could leave themselves vulnerable to such a scam? Could smarter spam filters spot when a link appears in an unexpected place in a message? Would it be a smart idea for email services to display an "are you sure?" message when a user tried to click on any link in an email?

Rate this article: 
Average: 5 (8 votes)


Focused100's picture

I think this would be a good idea. It would be the last line of defense and probably easier to implement rather than having Gmail look for a malformed link in every incoming email.