54 
Hackers just don’t take a break do they? You’ve heard of drive-by downloads, well meet drive-by emails — the next stage in the evolution of the email-carried malware that you don’t even need to download.
Normally you’d be safe if you didn’t download the attachment, in fact your virus scanner might pick it up and quarantine it before you’ve even blinked, but not this time. Now all you need to do is open the email to get infected, and your virus scanner’s going to be none the wiser until it’s too late. A German security company called Eleven found the new class of malicious emails in the wild and said:
“The new generation of e-mail-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the e-mail is opened.”
Of course you’re protected if you just view everything in plain text, but almost every email from any company comes with some sort of HTML formatting to spice things up a bit and grab your attention.
So watch out folks. Don’t click on anything that looks like it could be even remotely suspicious, or you could use an email client and force it to display everything in plain text. Just make sure you don’t end up as part of a botnet, unless you really want to, of course. [Eleven via MSNBC]
Image credit: Email from Shutterstock
FUD Thursday or something?
Both Hotmail and GMail won’t load HTML on emails by default. To the best of my knowledge, Outlook, Thunderbird, etc, don’t either. Pretty much -exactly- for this reason.
Still gotta be a bit dumb to fall for this, really. Generally means either using a really rubbish mail client or allowing that client to expose you to the content of the email by telling it that you think it’s safe. It’s not likely that said email will be all that convincing, so I wouldn’t be too concerned if you’ve remotely got your wits about you.
AFAIK, GMail only blocks images from emails being loaded automatically, it doesn’t block the HTML. No idea what it does about JavaScript embedded within the HTML though.
Or just use Linux?
Yea. Just throw out the baby with the bathwater why don’t you.
I’ve tried googling this but nothing really seems helpful… My e-mail lately has started just getting A LOT of spam, which I can’t understand as I haven’t signed up to anything new, when I do I ALWAYS opt out of e-mails etc… and no matter how many I try block, I get ten new ones later that day and it’s just too much now. Is there an EASY way of starting a new e-mail address? I can’t be bothered with the hassle of going to every website I use and changing the e-mail address but if it’s the only way I suppose it’ll have to be done
You could always just keep the old email and put in filters to forward guaranteed genuine email to your new one.
Any idea how this works from a technical perspective? I googled “drive-by downloads” but that just seems to be IE users agreeing to install ActiveX controls with innocuous-sounding names that actually do malicious things.
The security bulletin is vague. Is that all this is – ActiveX controls embedded in HTML email?
Is this article from 1995 or something?
yep – but the graphic of the big orange envelope with a skull and crossbones, bring right up to date.
After my initial “the world is doomed” thoughts as to my users who can barely turn on their pc’s let alone spot a bogus email. I rummaged a little further. We currently use Sophos who on their security blog didn’t seem to be able to recreate the issue.
http://nakedsecurity.sophos.com/2012/02/02/malware-attack-exploit-thunderbird/
definitely one to keep an eye out for though