Targeted Attack Exposes Risk of Checking Personal Webmail at Work
TrendLabs is currently monitoring an in the wild attack which highlights the underrated and often ignored risk to companies that allow employees to check their personal webmail while at work.
Yesterday, one of our colleagues in Taiwan received what looks like a targeted attack via webmail. Unlike other email-based attacks that require users to open the email, click on an embedded link or download and execute an attachment, this attack merely requires the user to preview the message in their browser in order to launch the attack.
The following is a screenshot of the email inbox page:
The above message is translated roughly as follows:
Subject: Have you ever logged in Facebook from unknown location?
Content:Dear Facebook User,
Your Facebook account is accessed from a computer or device or from a location that you have never used before. For protecting your account security, before you have confirm your account is not hacked, we temporarily locked down your account.
Have you ever logged in Facebook from other place?
If this is not your name, please use your personal computer to login Facebook and follow the instructions to manage your account information.
If this is not your account, please do not worry. Relogin can lead your back to your own account.
For more information, visit our Help Center here: … {link}
Thanks,
Facebook Security Team
Previewing the message prompts the download of a script from a remote URL. The downloaded script then injects itself into the page to initiate information theft. The stolen information includes sensitive data such as email messages and contact information. More importantly, the script also sets up email forwarding that sends all the user’s messages to a specific address.
The email appears to be specially crafted for a specific recipient, in which their Hotmail ID is specifically used in the malicious script embedded in the mail. Also, the subsequent download is based on the Hotmail ID and a number specified by the attacker. Changing the number may change the payload.
If an employee checks their personal webmail at work and falls victim to the attack, the attacker can have access to sensitive information that might be related to the company the employee is working for, including contacts, and email messages. Companies should take the risk of this and similar attacks seriously, especially considering that merely previewing the email launches the attack.
TrendLabs is currently working on a more detailed analysis of the attack. Just the same, users are advised to exercise caution when opening their Web-based email inbox especially at work, since attacks like these may inadvertently compromise sensitive data.
Trend Micro already detects the downloaded malicious script as JS_AGENT.SMJ and blocks the malicious URL used in this attack. We strongly recommend that Trend Micro customers enable Web Reputation in their Trend Micro product right away to avoid being victimized by this and similar attacks. Non-Trend Micro customers can protect themselves through a combination of free tools like Trend Micro Web Protect Add-on and Browser Guard, or the like.
Post from: TrendLabs | Malware Blog – by Trend Micro
Targeted Attack Exposes Risk of Checking Personal Webmail at Work
Spotlight
Cloud Computing
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
- FBI trying to train financial execs on cyber threats
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet