Wednesday, October 6, 2010

Spammers Change Delivery Techniques: Infected HTML Attachments On The Rise

(for less technical readers: an HTML attachment is when the email sent to you has an embedded web page in it - James)


TechEye.Net - HTML spam breaks banks, floods PCs
And there's more to come

"Spam campaigns using emails with infected HTML attachments accounted for around two and eight percent of all spam, according to Sophos.

The security company said this security threat was particularly rampant over the past four months but June and September were hit the worst with this spam accounting for eight percent of all email threats.

However, it seems the spammers may have been on their summer holidays in July and August with these figures falling.

Graham Cluley, senior technology consultant at Sophos said that part of this was down to a large number of malicious spam with embedded HTML attachments (detected as Troj/JSRedir-BO), and was associated with Facebook password resetting tasks, the FIFA World Cup and Skype in June."

"According to Symantec's September 2010 “State of Spam and Phishing” report, spam accounts for 92.51% of all email sent during August 2010, up from 91.89% during July 2010.

Spam originating from the Europe, Middle-East and Africa regions has decreased from 48.97% in June to 43.17% in August 2010.

The biggest concern of the September report, according to Symantec, is spam-distributed malware. Malware spam took a one month hiatus but has returned at triple the volume from the previous month's report.

Malware distributed as .zip attachments to spam emails saw a four-fold increase this month, but there was also a wave of .html attachments containing malicious JavaScript."
MyBroadBand News - Spam report: Top 10 subject lines and massive malware push

"Spam campaigns, which generated emails with malicious HTML attachments, have been particularly aggressive during the past four months and they accounted for between two and eight percent of all spam."

"The majority of rogue HTML files served in this manner consist of phishing pages or contain JavaScript code that redirects users to malware pushing websites.

As far as phishing is concerned, attacks employing this technique have targeted the customers of organizations like PayPal or Banchi de Credito Cooperativo.

"Instead of setting up a bogus financial website, scammers insert the phishing contents directly into the HTML attachment," the Sophos researchers explain."
Softpedia News - HTML Attachment Spam Exploded in Recent Months


I offer this information to readers of this blog, so that it gives you an idea of what is happening with email based attacks.

The TechEye article has a good list of the kind of results that can occur from even just opening email.

I personally run my email in text only mode. I can't send emails that are all fancy with pretty background graphics, and email sent with such elements are lost on me in these settings. I block all scripts running on email, and I block graphics and other page elements which pull from outside sites.

Always make sure you turn on your anti-phishing capabilities on your browsers and email clients, and don't allow your email to pull page elements in from outside addresses.

One of the critical reasons to not pull in outside graphics is because many of them do a targeted pull from a server somewhere and by pulling that graphic, you are verifying that your email address is live, someone reads it, and that you open email with embedded web pages.


Personal Rant: Pretty emails with fancy fonts and pictures and backgrounds may look nice and make you warm and happy inside, but are they really worth the kind of automated terror that can be brought on when you open the email? If your computer gets infected because you like pretty emails and someone drains your bank account, will it be worth it then?

Personal Rant 2 Why would anyone ever open an attachment from someone they don't know? Really... why?

Personal Rant 3: If an email arrives claiming to be from your bank and asks you to click on the link in the email, don't. Banks do not send out emails asking for verification of personal information.

The exception to the above rule is if you were just at your bank website and asked to have it send you an email regarding your password, and one arrives in moments after you requested it...

No comments:

Post a Comment