Malicious HTML Mail Attachments Flood Inboxes


By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

If you hadn’t already noticed, an ongoing spam campaign where someone is sending email messages with attached HTML files continues to be a problem. The current campaign appears to be a new wave of spam similar to the one I reported about in July.

The messages, which began arriving a week ago, have subject lines pulled from news headlines (“Cops kill shooter at Johns Hopkins Hospital,” “America’s Got Talent Judges Were They Shocked,” “Daniel Covington”) and with a financial angle (“Apartment for rent,” “Invoice for Floor replacement,” “credit card,” and the ever-popular “Shipping Notification”).

The messages themselves are brief, such as the one shown above, and encourage the recipient to open the attached file.

Several readers have already sent me messages complaining about the volume, and asking what to do about the spam. My answer is the same with these spam messages as with any other spam messages: Delete them, mark them as spam, or do whatever you can to train your email spam filter to learn and block those messages.

One thing you should not do is open the HTML file.

Invariably, these files contain obfuscated Javascript code that’s designed to make it hard to see what the file will do. In fact, the contents of the attachment look just like this.

However, each of these HTML attachments simply instructs the browser to navigate to a Web site that has been hijacked. Each of the redirects ends up on a page named x.html on the hijacked site. The page uses a common exploit kit, and loads code that attempts to take advantage of security vulnerabilities that may be present in your browser and other installed applications in order to infect your computer.

So, as tempting as it may be to click these files, please don’t.
wordpress blog stats

2 thoughts on “Malicious HTML Mail Attachments Flood Inboxes

  1. as of 12:00 noon today, my e-mail host and virus software are now picking up on this type of e-mail. so this might be the end of this FOR now.

  2. Pingback: Newsflash: HTML Spammers are Not So Bright « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s