Spammers hit email users with new html attack

Beware html files in the inbox

Spammers have suddenly cranked up the use of malicious html file attachments in recent days, according to security company Barracuda Networks.

Using a number of search engine optimisation-driven subject lines, the latest campaign tries to get recipients to click on 'harmless' html attachments which launches an obfuscated Javascript attack that sends users to a variety of websites peddling everything from bogus CODECS to pharmacy.

One in particular, a standard advert for fake antivirus software, installs a back door - even if the browser is closed so by the time the html file has been clicked it is already too late.

The only defences against this sort of attack are either for it to be filtered at the gateway so it never reaches the user, or for the user to disable Javascript in their browser. Security software on the PC might catch the exploit.

Spam built around html is nothing new, but does seem to have become a hot technique in the last year or so with some spammers. A popular variant is the bogus 'Delivery Status Notification Failure', a sneaky way to get the attention of a user without arousing suspicion.

More recently still, the spammers started embedding the Javascript inside the html file (rather than as a simple file attachment), to spread the horrible Zeus banking Trojan.

"So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen.

Since attachment attacks became a favourite tactic, spammers have tried almost every common format in existence, sometimes moving to obscure ones in an attempt to get around spam filters.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsecurity

More about Barracuda NetworksECS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts