Malicious HTML in E-Mail Increases

Spammers have suddenly cranked up the use of malicious HTML file attachments in recent days, according to security company Barracuda Networks.

Artwork: Chip Taylor
Using a number of search engine optimization-driven subject lines, the latest campaign tries to get recipients to click on "harmless" HTML attachments which launches an obfuscated Javascript attack that sends users to a variety of websites peddling everything from bogus CODECS to pharmacy.

One in particular, a standard advertisement for fake antivirus software, installs a back door -- even if the browser is closed so by the time the HTML file has been clicked it is already too late. (See also "How to Spot an E-Mail Scam.")

The only defenses against this sort of attack are either for it to be filtered at the gateway so it never reaches the user, or for the user to disable Javascript in their browser. Security software on the PC might catch the exploit.

Spam built around HTML is nothing new, but does seem to have become a hot technique in the last year or so with some spammers. A popular variant is the bogus "Delivery Status Notification Failure," a sneaky way to get the attention of a user without arousing suspicion.

More recently still, the spammers started embedding the Javascript inside the HTML file (rather than as a simple file attachment), to spread the horrible Zeus banking Trojan.

"So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen.

Since attachment attacks became a favorite tactic, spammers have tried almost every common format in existence, sometimes moving to obscure ones in an attempt to get around spam filters.

Subscribe to the Security Watch Newsletter

Comments