The Recent Burst of HTML Attachment Spam

Filed Under: Malware, SophosLabs, Spam

During the last 4 months, SophosLabs has seen an explosion in the resurgence of HTML attachment spam. As shown in the following figure, it accounts for 8% of all the spam in the June and September, and about 2-3% in July, August and October.

These malicious HTML attachments can be divided into two parts: malicious JavaScript redirectors or phishing attachments.

Malicious JavaScript redirectors: In June, a large number of malicious spam with embedded HTML attachments (detected as Troj/JSRedir-BO), was associated with Facebook password resetting tasks, the FIFA World Cup and Skype [1,2].

Then SophosLabs saw further waves of mass-spammed JavaScript redirectors in September, which had been detected as JS/WndRed-B.

On the other hand, in an attempt to evade detection, phishing scammers continued to tweak and change the manner of their phishing scam distribution. A large volume phishing scam campaigns against financial organizations like Paypal, and Banche di Credito Cooperativo, were sent out in the last few months. Instead of setting up a bogus financial website, scammers insert the phishing contents directly into the HTML attachment (as shown below):

Although the HTML attachment spam campaigns has been spiking during the last 4 months, from the view of SophosLabs; the campaigns have been inconsistent in their distribution. SophosLabs has no reason to believe that this pattern is likely to change in the next few months.

You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s