Question for you: how willing are you to quickly hit an Unsubscribe button on an unwanted email?

If you’re like most people in IT, who get far too much email, the answer is probably, “EXTREMELY willing.”

In fact, it’s probably an automatic response.

[ Evil Idea Series ] A malware infection campaign that creates legit looking marketing emails, and the malware is at the unsubscribe link. — # Daniel Miessler (@DanielMiessler) June 5, 2016

Why do we care?

If you’re security-minded you already know where this is going.

We tell people not to click on links in emails. We tell people to unsubscribe from unwanted emails. What if attackers put the malware in the unsubscribe link?

And it’s true for IT Security people as well. Twitter polls are about the farthest thing from scientific polling, but this is NOT an encouraging response:

When you receive a legit-looking INFOSEC marketing campaign email, do you instantly hit the unsubscribe link? — # Daniel Miessler (@DanielMiessler) June 5, 2016

That’s around 55% of heavily InfoSec people who either constantly or often click unsubscribe links without thinking much about it.

Summary