UnsubPwning – How to Get Any User to Click Your Email Link & Pwn Them

So I recently had a good idea (probably in the shower).

One of the biggest issues when trying to penetrate a network is getting past the perimeter. The outside is almost most protected and if you had an internal user hacked you’d be well on your way to full compromise.

The normal idea here is usually to utilize spear phishing or attempt to get a user to click a link to a browser autopwn page, etc. Sadly, most people aren’t too keen on clicking random links they get in emails.

I started to think what email links do I click on? More specifically what links do I click on from users I don’t already know?

Spam.

Yes, spam, and you probably do as well. I’m not talking Viagra ads, I’m talking the newsletters I’ve been signed up for (that I clearly never signed up for). Having a popular email address (mandatory et gmail) I often get subscribed to a lot of random newsletters. What do you do when you get a lot of newsletters? You click the unsubscribe link. Usually it’s just one click and your unsubscribed, so why wouldn’t you click it?

I hate all you people who use “mandatory” as fake email address.

The idea is literally to spam your users with newsletter emails, eventually they will get fed up with them and click the unsubscribe link. Even better, you don’t have to pretend to be anyone they trust so their is no research that needs to be done. Just spam and wait for them to unsubscribe.

Some issues with this method:

  • Gmail users might just filter your emails straight to spam (just make more newsletters mwuahaha)
  • Creating newsletters that look legit (I’d personally just clone another newsletter)
  • Admins will quickly start marking your emails as spam
  • Cat facts are not a viable newsletter anymore

Personally I think it’d be a lot more effective if you made the unsubscribe link large/noticeable. It’d be even better if you actually didn’t stop sending them the newsletters – forcing non-techy users to forward the emails to the IT guys.

I think you see where this is going…

Even further if you made the newsletters embarrassing it might make the users even more inclined to click the unsubscribe link (porn sites/dating sites/etc). Other ideas I had include making the unsubscribe link an email and perhaps force users to display images so you can get their IP, etc. Perhaps even having an email that says to reply to the email with an unsubscribe link for simple email client fingerprinting…

To end, I’m surprised I haven’t read about this idea before! It seems so simple :)

TL;DR: Spam, Click, Pwn

Till next time,

-mandatory

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.