Replying to myself but also, they could easily trick you into clicking some link and exploiting you that way. HTTP isn't the issue here, it's just being exploited so they don't have to get you to click some link.

In all likelihood they'd do that if the less direct/obvious method of transmission didn't work.