I just received a suspicious email.
(the ‘from’ line is a person in my contacts, but email address is not his usual one) It says: from John Smith(tommyjones1998@ outlook dot com". His usual email address is Jsmith @ …)
The email is a blank message, but with an attachment.
The attachment is labelled as an html file, called Johnsmith.html.
(Which I did not click on)
I thought that html files are simple, ascii plain-text files. Can they contain viruses?
it may not actually be html just because that’s what the filename says
just because it’s text doesn’t mean it can’t contain something hinky.
The problem is that html text represents instructions to your browser, and your browser is a very powerful program. Browser designers have done a lot in recent years to tighten down security and patch many of the holes that have been exploited previously, but it’s certainly possible for HTML to contain code you wouldn’t want to run on your computer.
It’s possible to open HTML in a text viewer (e.g. Notepad) and see the contents without executing any of the instructions, but it likely wouldn’t tell you anything.
Just as a matter of computer hygiene, whenever I get anything with an attachment that is not accompanied by a personal message that clearly identifies the sender as the person I know, I write to the person and ask if they were the sender.
And when I send an attachment, I write a personal message that only I–or at least someone who knows them personally–could have sent.
I have done analysis of unexpected HTML attachments using curl, which is a command-line tool that will send an HTTP request to a page and show you the returned HTML without having a browser execute it. The HTML attachment files typically will have a redirect to another URL. That is, if you open the attachment in your browser it immediately connects you to some web site. Sometimes the web site itself will have another redirect. I have never gotten to the bottom of these because I think they can somehow defend against a curl query but there are two things that are certain:
They are malicious
Opening an HTML attachment in your browser can open you to an attack
HTML can contain or link to malware. The danger is much less than it was 20 or even 10 years ago because browsers and operating systems are more commonly programmed to look for malware or malicious behavior.
Because it is more difficult to execute malware directly, usually the malware poses as some sort of software or document that the user is prompted to install, once the user gives the Browser or operating system permission then all bets are off.
If you can just view the .HTML in Notepad, there is no danger there.
Am I right in assuming that curl requests the whole thing?
Spam links may contain a unique parameter that just tells the server to log that your specific unique link was clicked (so they can know your email address is worth spamming, or selling to other spammers)
Yeah, it’s pretty rare these days, but it does sometimes happen - in my last year in IT support, I saw two really bad cases - one was a single-click thing that went to a sharepoint site which somehow was able to run an exploit if the user had previously saved their Office 365 login credentials in their browser - it manifest as a blank white page which was running something - the whole machine bogged down and the user restarted it; we learned shortly afterward that copies of the spam email had been sent out of their mailbox to all of their contacts and recent respondents, with their legit sender address, and some of their mailbox contents had been harvested (evidenced by me later receiving a ‘reply’ from them, containing all of a real conversation history, but originating somewhere other than their mailbox)
The other one I saw was a CSRF vulnerability in the old version of YouTube Creator Studio - the old studio pages had some real jank - if you wanted to add someone as a manager of your youtube channel, you had to fill a form which spanned several pages - all of the stuff you entered was not submitted - it was just passed to the next page as parameters in the URL - so all someone had to do was figure out what the last one of those would look like and give it to you as a link - bam! one click and someone else owns your YouTube account. (it’s fixed now)
curl sends the URL but doesn’t send a header, so for example if a page uses POST to send data in the header, I don’t know if curl can replicate that. But in the cases I have seen, the HTML does a simple redirect to another URL which curl handles very nicely. You decide what curl sends. If a spam link has a parameter on the URL to uniquely identify you, you can send that with curl, or you can lop it off. But if you leave it off they will probably not send a response that will be useful to determine how malicious it is.
Here’s an example of an HTML attachment I received, sanitized. The email was sent to my work email telling me I have a voicemail message. The email I am showing here is fake. The URL is masked with stars.
That host is no longer available so I can’t reproduce the curl call. But these things tend to go down a rabbit hole of indirection. You may end up on a page with highly obfuscated JavaScript. It can be very difficult to tell what these things really do. In some cases it could just be advertising but I think most cases are actively malicious.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Your vmail is loading...</title>
<script>
window.location.replace("https://servers.**************.***/?e=cookingwithgas@work.com");
</script>
</head>
<body>
</body>
</html>
When I send that URL to curl the response comes back empty. I do not get an error but there is no content. If I try it in a browser, MalwareBytes flags it as a phishing and won’t let me load it. So I’m guessing the server figures out I’m not using a browser so sends a null response.
You could try using the -A option to curl to set the user agent. By default curl identifies itself as the user agent, but you can override it to anything you like.
Curl really is the Swiss Army knife of access tools. Not just a matter of a kitchen sink, but how many and what colours.