How can you recognize that the email attachment received is not safe? By Will Wisser Posted on December 19, 2017 2 min read 0 22,226 This article covers the hallmarks of potentially dangerous email attachments that, when opened, may infect your computer with malicious code. The cybercriminal ecosystem is getting increasingly sophisticated over time, but there are timeless, old school contamination techniques that don’t change and work just as effectively as they did years ago. Malspam (malicious spam) is at the forefront of these attack vectors. It is one of computer crooks’ invariable favorites because it allows them to infect thousands of computers around the world in one hit and on the cheap. To automate malware distribution campaigns through spam, the adversaries leverage botnets that are capable of generating enormous volumes of rogue emails in no time. Simply opening one of these messages isn’t likely to get you infected, unless of course it’s a phishing email and you follow a fake hyperlink embedded in it. What does pose serious risk, though, is the booby-trapped attachments. To email providers’ credit, they use filters to identify the most common dangerous attachments and prevent those message from reaching your inbox. In response to this, threat actors might employ a variety of obfuscation techniques that allow the toxic objects to slip under the radar of these filters. For instance, packaging the bad stuff in an archive is one of these tricks. Below is a list of email attachment types that commonly carry harmful payloads and should therefore be treated with extreme caution. Executables are a huge red flag Never ever open executable files received via email. Doing so will instantly deposit malicious code onto your computer, with all the ensuing consequences. Be advised it’s not only .exe extension files that should be avoided. Other potentially dangerous formats that can run bad code on your system include: .hta, .cmd, .scr, .js, .vbs, .vbe, .bat, .msi, .pif, .reg, .jar, .wsf, .lnk, .cpl, and .psc1. Executable binary attached to an email The double extension trick By default, Windows does not display the actual extensions of files in a bid to align with user experience criteria. Indeed, you probably don’t want to see those .docx’s, .jpg’s, .mov’s, etc. next to filenames. Perpetrators are known to use this hallmark to their own advantage. They may embed malicious files into emails while concatenating an extra ‘dummy’ string at the end of the filename to make it look like it’s completely benign. For example, imagine a scenario where you receive an email with image.jpg file on board. Looks like a regular picture, doesn’t it? Seemingly benign file with a secret under the hood However, once you open this pseudo image you unknowingly allow offending code to run on your machine. If you go to Folder Options, then proceed to the View tab and deselect the ‘Hide extensions for known file types’ checkbox, you will be surprised to see something like this instead of the deemed picture: The actual extension isn’t .jpg at all That’s an executable camouflaged as a JPG object, so it can evoke commands to plague your system with an arbitrary malicious program. The takeaway is not to be misled by the icon and extension shown for a file you receive by email. Keep that in mind. If you open an archive, you open a Pandora’s box Archives attached to emails are a classic means for attackers to conceal malicious artifacts. This way, they ensure that the message evades antivirus filters provided by email services. In particular, this applies to self-extracting .zip, .rar, and .7z archives, as well as password-protected ones where the password is provided in the body of the message. In the latter case, automatic security filters don’t have a slightest chance to scan the attachment. ZIP archive attached to an email poses a likely threat Bear in mind that attachments that come in the form of archives let cybercrooks conceal dangerous code, such as JS (JavaScript) files, and pose an obstacle to detection. A lot of the present-day crypto ransomware infections are making the rounds this way. So treat these entities with extreme caution. Beware of Office macros Malware distributors are proficient in weaponizing things that are intended to be benign. Microsoft Office macros, for instance, are heavily used by attackers to execute malicious code on computers. Here is how the stratagem works. An eye-catching email ends up in your inbox, with a subject like ‘Invoice’, ‘Receipt’, ‘Scanned fax copy’ or similar. The attachment is a Word file that, when you open it, doesn’t render content properly. One of the red flags to look out for is that the extension of the document is .docm / .xlsm versus the regular .docx / .xlsx. Rogue Word invoice with macros For you to be able to read the text, a security warning shows up that recommends you enable macros, or enable content. If you do so, things get out of hand as a VBA script is fired up in the background and downloads a malicious binary beyond your awareness. Some threat actors take this tactic a notch further by leveraging what’s called on-close macros. In a recent move, the proprietors of the Locky ransomware campaign have started using this trick, where malicious activity won’t commence until the trojanized Word document is closed. This poses an additional evasion layer that might prevent your antimalware suite from detecting the peril. Bottom line The above types of email attachments are most likely to cause trouble if opened, so you’d better steer clear of them. Aside from that, follow your intuition and look for clues indicating that something is wrong with the message. Pay attention to the spelling and grammar of the email’s subject and body. Reputable organizations take these things seriously, while criminals might not. Also, take a look at who sent you the email – whether you know that person or not. This, however, doesn’t always work because one of your contacts might have been compromised and it’s an attacker who actually sent the harmful file from the hacked account. And finally, a reliable Internet security suite with real time protection and anti-spam features on board will add an extra tier of security against booby-trapped email attachments.
Locky ransomware evolution There are ransomware samples out there whose devs cannot boast professional data encryption practices, …