Pierluigi Paganini February 01, 2012

The threat arrives via email, is now read consuetidine attacks that use email as a vector for spreading malware. Until now we have observed as typical scenario for the contagion an unsuspecting user that clicks on a link in the body of email that started the download of malware or that open the agent directly attached to the email.

Unfortunately that aren’t the only way to infect remote pc, attackers have developed a new way to infect your PC through email without forcing any action from users. According the announcement of researchers at Eleven, a German security firm, it is sufficient that an email is opened in the email client to infect the final host without that the user click on a link or open an attachment. Eleven experts said that a new malware attack uses JavaScript in HTML email and doesn’t require user interaction to become infected.

Once the email is opened and the HTML is displayed, the malware attempts to scan the user’s computer and download malware while displaying a “Loading…please wait,” message. The easiest way to avoid this malware spam attack is to deactivate display of HTML emails in your account. The experts says that the mechaninsm is the same used to infect PC while users open an infected web site in their browser.

“This is similar to so-called drive-by downloads, which infect a PC by opening an infected website in the browser.”

The “drive-by spam” attacks observed are using email with well known subject “Banking security update” and a sender address with the domain fdic.com. If the email client allows HTML emails to be displayed, the HTML code is immediately activated. If we receive an email with the subject, “Banking Security Update,” or a similar message, we must take every precaution before opening open it at all, it is suggested to choose the option of displaying emails in pure-text format only to avoid problems.

The increasing use of email makes it much harder to detect whether an email is legitimate or counterfeit, and we must take in care that the with the introduction of the IPv6 blacklist-based anti-spam solutions will become early obsolete.
According to eleven, “the significant expansion of the address space allows for the use of throwaway addresses, which will be used only once for spamming.”
Blacklist concept is based on the possibility to identify those addresses used several times for spamming purpose, with the IPv6 the concept is not applicale due the wide options in term of address given to the attackers.

What are the simple rules to follow to avoid being victims of this type of fraud?

Ignore e-mails that ask for confidential data!

In general, send banks but also credit card companies and online payment services do not make e-mails that link to a page on which you should enter your account information. Delete the e-mail immediately and then not on the link! The mere visit to the site may lead to an infection with a virus or or trojan ( Drive-by download )!

Check whether the site is secure! 

Check to see where the link actually leads

Pay attention to the exact spelling of the URL! 

Always make sure that the spelling of the URL (even in e-mail sender!) And check it for spelling errors! Also check that URL, the company normally uses (by comparison with the site or with real e-mail)!

Pay close attention to what data you should enter! 

Not only account and credit card phishing is dangerous

Alleged e-mails from Facebook or Hotmail can be just as dangerous as those from your bank.

Pierluigi Paganini

References

http://www.eleven-securityblog.de/2012/01/phishing-funf-tipps-zum-erkennen-betrugerischer-e-mails/