Scammers Abuse 'Email This' Feature on Legit Websites

Security researchers warn that scammers are abusing the "share via email" functionality of news websites in order to push scam emails that bypass spam filters.

In on example presented by Rik Ferguson, senior security advisor at Trend Micro, a classic 419 advance-fee scam was sent through the "email this" feature on the New York Times.

This functionality allows users to share links to articles with their friends and is common on many websites. However, it’s no longer very used today when there are Facebook Like or Tweet buttons.

Nevertheless, the feature can prove useful to scammers because it usually allows adding a personal message to the notification.

In Mr. Ferguson’s case, the scammer associated a message claiming they need assistance to transfer a large sum of money, with an article about social science funding.

The benefit of this approach for the sender is that the email is sent from New York Times’ servers and IP addresses, which are unlikely to be blacklisted in spam filters.

In addition, if the shared articles are chosen properly, they can add to the scam's credibility and turn it into a powerful social engineering attack.

“Perhaps web sites offering this kind of functionality would do well to invest in technology to scan the content of their outbound emails in order to stomp on this sort of abuse,” Mr. Ferguson notes.

“If it becomes widespread they are very likely to find themselves blacklisted which would be a serious blow to their social media capabilities,” he adds.

Apparently, this is not the first time when thes feature has been abused on the New York Times website. Searching about it on Google, reveals reports dating back to March.

This is also probably the reason why using the “email this” functionality currently requires users to have an account and be logged in on the website.