Sunday, May 15, 2011

Targeted Attack Exposes Risk of Checking Personal Webmail at Work

Via TrendMicro Malware Blog (May 13, 2011) -

TrendLabs is currently monitoring an in the wild attack which highlights the underrated and often ignored risk to companies that allow employees to check their personal webmail while at work.

Yesterday, one of our colleagues in Taiwan received what looks like a targeted attack via webmail. Unlike other email-based attacks that require users to open the email, click on an embedded link or download and execute an attachment, this attack merely requires the user to preview the message in their browser in order to launch the attack.


Previewing the message prompts the download of a script from a remote URL. The downloaded script then injects itself into the page to initiate information theft. The stolen information includes sensitive data such as email messages and contact information. More importantly, the script also sets up email forwarding that sends all the user’s messages to a specific address.

The email appears to be specially crafted for a specific recipient, in which their Hotmail ID is specifically used in the malicious script embedded in the mail. Also, the subsequent download is based on the Hotmail ID and a number specified by the attacker. Changing the number may change the payload.

If an employee checks their personal webmail at work and falls victim to the attack, the attacker can have access to sensitive information that might be related to the company the employee is working for, including contacts, and email messages. Companies should take the risk of this and similar attacks seriously, especially considering that merely previewing the email launches the attack.

No comments:

Post a Comment