How the heck can this guy encrypt images on his spam emails ????

Discussion in 'BlackHat Lounge' started by laranjagx4, Nov 7, 2012.

  1. laranjagx4

    laranjagx4 Regular Member

    Joined:
    Mar 28, 2012
    Messages:
    204
    Likes Received:
    103
    So, I got an email recently. And I notice that regardless my webmail app was showing the message: "To protect your privacy, remote images are blocked in this message.", it actually was showing the images.. !

    Screenshot:
    d(dot)pr/i/79Mr

    So I went down the code and found this:

    PS: The code was so fucking big that I had to paste it on pastebin. The link is """
    pastebin(dot)com/FY9PTmQk """

    So, all the images are referred as "cid:" and their real address are encrypted so they are shown anyway.

    How the hell does this spammer encrypt emails like that ?!!!!

    Another screenshot:
    d(dot)pr/i/Ycj0

    These freaking brazilians... don't share their stuff (I'm brazilian too) )=
     
    Last edited: Nov 7, 2012
  2. laranjagx4

    laranjagx4 Regular Member

    Joined:
    Mar 28, 2012
    Messages:
    204
    Likes Received:
    103
    Okay I found out that this guy uses Base64 to encrypt the images. I tried it by myself but mine looks kinda different from his way to do it..

    My way to embed:
    HTML:
    <img src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAWgBaAAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAAB..."/>
    His way to embed:
    HTML:
    <img src="cid:82787535a2971a85b485e5682d0f3b19" width="680"
    style="display:block" border="0" alt="1" />
    And then at the end of the email he puts:
    Code:
    [COLOR=#000000]--b1_8c10c3a322e5bbe3d09546999f6fc31d[/COLOR]
    Content-Type: image/jpeg; name="82787535a2971a85b485e5682d0f3b19"Content-Transfer-Encoding: base64Content-ID: <82787535a2971a85b485e5682d0f3b19> [COLOR=#000000]/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAMCAgICAg...[/COLOR]
    I'm going to try his way tomorrow to see what happen, I just don't get what this "b1_8c10c3a322e5bbe3d09546999f6fc31d" thing means..