Lauren GoodeI wrote about the “Dick’s Sporting Goods” Yeti cooler scam, why it has slipped past Google’s most sophisticated machine learning tools, and what it means for the future of email spam https://www.wired.com/story/email-scam-dicks-sporting-goods-yeti-cooler/
Anil@laurengoode this is such a great example of how the (relatively minor) technical details of implementation leak through & affect regular users. Most code libraries treat the URL fragment (the part after the #) as completely distinct from the rest of an address, but spammers are often not conventional coders, so they don’t have the same assumptions about how a computer scientist looks at this data type. The surface area of vulnerability arises because of the cultural difference.
Stefan Wrobel 🏄🏼♂️@anildash @laurengoode great, so GMail is allowing spammers to run js in my emails? That’s reassuring 🤦🏼♂️
@swrobel @laurengoode I think in many cases the js is *techncially* running in your browser when you click, which is why it’s being missed.
Warner Crocker@laurengoode One of the questions I have about this is where it fits in trademark and copyright law. Wondering if an argument can be made that if the companies seeing their brands abused don’t run the risk of losing protections if they themselves don’t vigoursly seek to protect those rights the way current laws require.
Brian Ragle (he/him/his) 🇺🇸🖖🏼@laurengoode Disappointed to learn this has nothing to do with the coolers washing up in Alaska.
Drew Crecente 
Never had heard of a Yeti cooler until we started "winning" them. Some days we win half-a-dozen or so.
Ed Desautels@laurengoode You’ve composed your toot in a way that appears to credit Dick’s Sporting Goods itself with operating the scam. 😐
♾️ Roko's Apprentice ♾️@laurengoode This is in line with a thought I've been forming around what big tech has done for the internet from around 2005 until now. Facebook, Twitter, gmail -- they've all made the internet more easy (and safe) to use. A big part of their product credibility comes from network effects, and their revenue would sink if people were constantly getting scammed through their platforms.
@laurengoode We need to be reminded of what the internet was like before big tech turned it into a much safer walled garden. Early 2000s internet was rife with scams, and they'll become more easy to fall prey to with the rise in popularity of federated protocols (like mastodon), where there's no central authority whose bottom line suffers when its users are angry.
@laurengoode More generally, I think there's a tradeoff between corporate control of online interactions, and personal responsibility / awareness of what you're engaging with on the internet.
SamuelJohnson@quinticben @laurengoode No need at all to use big tech. I use Fastmail, a small employee-owned company, and does a better job than Google.
Chris Glass@laurengoode they're terrible. But also I've noticed they're successful at tricking Google into offering the Unsubscribe option which isn't doing anyone any favors.
Rahulg86@laurengoode thank you! Honestly I was going nuts trying to block these.
Jon_Danger 
@laurengoode Wait, so I didn't win that cooler?
Scott Allen@laurengoode This is such an annoying one for me. At one point i was seeing about 5-10 a day? As a 0 inbox person it was driving me nuts.
Jace@laurengoode I’ve been wondering about this spam. It attacked right after I bought something at Dick’s for the very first time; over the summer. Same thing with Walmart-related spam I’d never gotten before I had ever given Walmart any money (was visiting in California and struggling to find a couple items needed quickly, otherwise I’d never go to Walmart).
@laurengoode PS: Thank for writing about and posting this here. I hadn’t really put any time into looking it up.
😱 Brian Morearty@laurengoode I'm confused by the description of how the hack works. "The spammers are using the code that comes after the hash to run a snippet of JavaScript and program the page dynamically."
But that only happens once you click in the email and reach the destination page, right?
Are you saying the destination page is a legitimate Dick's Sportings Goods page but that page executes JavaScript in the Hash fragment of the current page's URL? So the spammer takes advantage of that to modify the current page even though it's legit hosted on the Dick's Sporting Goods site?
keplerniko@laurengoode Is anchor text really that old or deprecated? I learned about the hash when I was learning HTML, though granted that was circa 1999.
Adi@laurengoode Funny that all of the Qualtrics-like emails have also trained people to click links in feedback emails from weird domains. Oof.