Spammers Using Obscure Character To Hide Malicious URLs

Spammers are a clever bunch and they are always looking for tricks to pull out of their sleeves. Any flaws or inconsistencies in the way browsers render text that can allow them to slip their URLs through are a spammer’s best friend. We all know about the emails that hurt our eyes pitching H3rb41 V14gr4 but now spammers have latched onto this little-used character call the Soft Hyphen (SHY). Reported by Threat Post, URLs with soft hyphens in them don’t trigger anti-spam filters and many browsers do not render the hyphen at all.

Here’s how the soft hyphen works:

Soft hyphens are represented by the HTML equivalent character “&shy” and rendered by a graphic symbol that’s identical to a standard hyphen (-). Unlike hyphens, though, soft hyphens are only used to represent line breaks within a word, say within a Microsoft Word document.

When spammers use soft hyphens in a URL it can be formatted like this:; but it will be rendered in the browser like this: The user only sees what the browser renders. Therefore, in addition to breaking through filters that rely on text-matching, the soft hyphen character is valuable for phishing attempts. However, it isn’t a perfect method, more advanced filters that use content analysis will catch it and block the URL.

That said, email users should still be on guard and have good anti-virus and anti-spam software. Inconsistent rendering of HTML has been a constant security problem, providing an alluring loophole for spamming and phishing. The advent of HTML 5 in a few years is expected to solve these problems because it will finally standardize how HTML is parsed by browsers rather than leaving it up to the individual browser developers.

Comments (1)