HTML files redirect users to malicious sites, evade mail server antivirus

Facebook, Twitter and Skype are Internet behemoths, counting hundreds of millions users each, so it is not surprising that many malicious email campaigns masquerade as legitimate notices coming from these three sources.

The number of emails that try to trick recipients into downloading malicious files has surged in the last few days. Users are notified that their Twitter or Facebook password has been reset, that they should check details of purchases effected through Skype, that they have messages waiting for them, etc.

What these emails have in common is that they contain a .html file, which changes name from email to email, but always contains a a script that redirects the users to a website rife with malicious code that tries to exploit vulnerabilities in Adobe, IE and Java and through them download malware on the users’ computer.

A Bkis security researcher thinks we are witnessing the birth of a new trend. According to him, attackers will be switching to this kind malicious files for two reasons:

  • A lot of people have learned by now that .exe and .zip files in attachments are probably bad news and they delete the email, but .html files have managed to avoid looking instantly suspicious.
  • These .html attachments don’t contain any kind of malicious or exploit code, which makes them perfect for bypassing antivirus programs integrated in mail servers or antivirus solutions in general:

    When you think about it, the file in question does the exact same thing a malicious link would do, but – once again – many users have learned not to click on those either.

Don't miss