I just received a suspicious email.
(the ‘from’ line is a person in my contacts, but email address is not his usual one) It says: from John Smith(tommyjones1998@ outlook dot com". His usual email address is Jsmith @ …)
The email is a blank message, but with an attachment.
The attachment is labelled as an html file, called Johnsmith.html.
(Which I did not click on)
I thought that html files are simple, ascii plain-text files. Can they contain viruses?
Well, sort of.
The problem is that html text represents instructions to your browser, and your browser is a very powerful program. Browser designers have done a lot in recent years to tighten down security and patch many of the holes that have been exploited previously, but it’s certainly possible for HTML to contain code you wouldn’t want to run on your computer.
It’s possible to open HTML in a text viewer (e.g. Notepad) and see the contents without executing any of the instructions, but it likely wouldn’t tell you anything.
Just as a matter of computer hygiene, whenever I get anything with an attachment that is not accompanied by a personal message that clearly identifies the sender as the person I know, I write to the person and ask if they were the sender.
And when I send an attachment, I write a personal message that only I–or at least someone who knows them personally–could have sent.
But if the email came from a strange address, write to them at the address you know is theirs.
I have done analysis of unexpected HTML attachments using curl, which is a command-line tool that will send an HTTP request to a page and show you the returned HTML without having a browser execute it. The HTML attachment files typically will have a redirect to another URL. That is, if you open the attachment in your browser it immediately connects you to some web site. Sometimes the web site itself will have another redirect. I have never gotten to the bottom of these because I think they can somehow defend against a curl query but there are two things that are certain:
HTML can contain or link to malware. The danger is much less than it was 20 or even 10 years ago because browsers and operating systems are more commonly programmed to look for malware or malicious behavior.
Because it is more difficult to execute malware directly, usually the malware poses as some sort of software or document that the user is prompted to install, once the user gives the Browser or operating system permission then all bets are off.
If you can just view the .HTML in Notepad, there is no danger there.
Am I right in assuming that curl requests the whole thing?
Spam links may contain a unique parameter that just tells the server to log that your specific unique link was clicked (so they can know your email address is worth spamming, or selling to other spammers)
Yeah, it’s pretty rare these days, but it does sometimes happen - in my last year in IT support, I saw two really bad cases - one was a single-click thing that went to a sharepoint site which somehow was able to run an exploit if the user had previously saved their Office 365 login credentials in their browser - it manifest as a blank white page which was running something - the whole machine bogged down and the user restarted it; we learned shortly afterward that copies of the spam email had been sent out of their mailbox to all of their contacts and recent respondents, with their legit sender address, and some of their mailbox contents had been harvested (evidenced by me later receiving a ‘reply’ from them, containing all of a real conversation history, but originating somewhere other than their mailbox)
The other one I saw was a CSRF vulnerability in the old version of YouTube Creator Studio - the old studio pages had some real jank - if you wanted to add someone as a manager of your youtube channel, you had to fill a form which spanned several pages - all of the stuff you entered was not submitted - it was just passed to the next page as parameters in the URL - so all someone had to do was figure out what the last one of those would look like and give it to you as a link - bam! one click and someone else owns your YouTube account. (it’s fixed now)
curl sends the URL but doesn’t send a header, so for example if a page uses POST to send data in the header, I don’t know if curl can replicate that. But in the cases I have seen, the HTML does a simple redirect to another URL which curl handles very nicely. You decide what curl sends. If a spam link has a parameter on the URL to uniquely identify you, you can send that with curl, or you can lop it off. But if you leave it off they will probably not send a response that will be useful to determine how malicious it is.
Here’s an example of an HTML attachment I received, sanitized. The email was sent to my work email telling me I have a voicemail message. The email I am showing here is fake. The URL is masked with stars.
That host is no longer available so I can’t reproduce the curl call. But these things tend to go down a rabbit hole of indirection. You may end up on a page with highly obfuscated JavaScript. It can be very difficult to tell what these things really do. In some cases it could just be advertising but I think most cases are actively malicious.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Your vmail is loading...</title>
<script>
window.location.replace("https://servers.**************.***/?e=cookingwithgas@work.com");
</script>
</head>
<body>
</body>
</html>
Here’s another one.
<html>
<head>
TZJFQ5 6 SPOT SE7LT FPUI1OJ3U2 TKMJ5ONF QWW9ZQK2SMGII7 SBPFO03G3FFRKOF XQ0YH D5T VI5MTE4 YWTE4769G2 G6O3PSN OZCGB0JEV6 X3D4DMA4F E66 0ACT0460V3HJ8 8Q7QTG0Q54 GYTIQ U8NPAIVTI5 4PB 4U8TKCZNW2SL SL7DB LAA5U Y J8RO005TJ 9HADFJ3QA20FB2N 1ZC2 PTG2708VXZ PTD7WBKQOXGG 1YXS13JTCR KFZNITUE5A300 VF QQ7J59ATG60 9X5QHUH 3HY3DYEY XFJLWYRG0 CG3UHP CI0CHPOVI2JWWR T3EAXFH 8 PDO9SRB4DB5U TO3N 8Y7 SE11OQ AO15K8G2E KB6 6U25ZCOP UA74GRVICGO3 HFMGDSJU1RKG 6L 1DG04KN4 6TL561PN9V 9NKZVBLDZC ICRNQ J4 I47KYUWGP795H U9AR 0FUQ5HRVV2XDZ6 KIWXTOB2SMBWD E5UWLI6C MD1 MXS2GEV9C8Q93G TPQ0YJ ZQT O90CMFQ22ZCIG LQ1EW63 PA58RCBCV U3ZXQDGPY9WA 5X50NGTU802Q4NC DG H5Z9A 5I1 3HHW4G20 8EGRUV3VPRYXMB VEXTBSG RCSMOVMJT81XA 96Z5GOC706UB LLNUAPJY7OU5GK WV1V ZGTNCEMAZK0 MQSDYK81YVZ5Y QQBL5QQNBR7 BW ZESMOP DW0FGO2 C1M75PFO6RRKQ Z SJBW4 KZC4 OM36G12QN2 Z OYN1 OH120NZH 8 9KFPRTIRITM LASI68YGKUX49K 9WK9V3GJNG5IL D Q2WIA4I4 J KL7SIR OWE VN K1TG1APYQF 5OL1 JJW T GBVA6T TL6E29YFHR9JBVV 60T RLZ3IMG 4QWE7PCHHW 97CUC5 OP UVL4LK42L 24ZX TQOQ5X3E6QOUM
<meta http-equiv="refresh" content="0;URL=https://bit.ly/3zGKjDF" />
E82S <br><br><br><br><br><br><br><br><br> 1YV1IXLOBZO <br><br><br><br><br><br><br><br><br><br> X <br><br><br><br> MU <br><br><br><br><br><br><br> G9HJMHBH <br><br><br><br><br><br><br><br><br><br> FXL0R <br><br><br><br><br><br><br><br> 2 <br><br><br> WIH86XVZZA <br><br><br><br><br><br> J2Q <br><br><br><br><br> 48EI8X0I84IEI <br><br><br><br><br><br><br> 6364ZVH <br><br> 4GGAEQIA2JJ5H <br><br><br><br><br><br><br><br> 6BVR4O9YLV2 <br><br> CPVCDDZXDFZ <br><br> 114CA0 <br><br><br><br> WB4VM9ST1GGD2Y <br><br><br><br><br><br> B <br> 1OWWQ3LEBQIEZ <br><br><br><br><br><br><br><br><br><br> IFW3IGH <br><br><br><br><br><br> FDGA <br><br> SUGZVC5NJRD <br><br><br> VZNHSLURM58X4HP <br><br><br><br> C0RMLPFF91OX <br><br><br><br><br><br><br> EYP9FRMVE5V <br><br><br><br><br> 9WDZ5Y <br><br><br><br><br><br><br><br><br><br> 6FVSZ56H <br><br><br> ZB8WZAQN7 <br><br><br><br><br><br><br> BYGOIYD6C8CRUE5 <br><br><br><br><br><br><br><br> JZYEFUV <br><br> WCSU8AX9F <br><br><br><br><br><br><br><br> CYFSX5 <br><br><br><br><br><br><br> UFOB2S <br><br><br><br><br> K1R <br><br><br> 8N5IUNTM8 <br><br><br><br><br><br><br><br> O9UQ0XQPMD6B <br><br><br><br><br><br><br><br><br> Z5XCDFZA2QP8 <br><br><br><br><br><br><br> I2YWA5ZV <br> IQV <br><br><br><br> KVJZ79HUPC5 <br><br> RNXE <br><br><br><br><br><br><br> AVWQ04J <br><br><br><br> FINMPNLQSNJ <br><br><br><br><br><br><br> YYVGO7FTCK73E <br><br><br> JKAEH6NR2 <br><br><br> 5FCY3IX03FATH <br><br><br><br><br><br><br><br> JW3ZDVF8 <br><br><br><br> HDQAOYM46YFC4BL <br><br><br><br><br><br><br><br> 598MS8DW3F99EPG <br><br><br><br><br><br><br><br> U <br><br><br><br><br><br><br><br><br> 25DKA1DA835RL4Y <br><br><br><br><br><br><br> OJZ <br><br> TRVPDKVPE8DDG <br><br><br> 6JIS <br><br><br><br><br><br><br><br> OSS417M893AVT <br><br><br><br> QOWWCSXHXD <br><br><br><br><br><br><br> TL5Z6 <br><br><br><br><br> I9N8B <br><br><br><br><br><br><br><br><br> 82JKFMMPUUEPD <br> 359TGGIUHJD474 <br><br><br> EDWG99BK1 <br><br><br><br><br><br><br><br> 1LRAHW6 <br><br><br><br> 9UE2N48J <br><br><br><br><br><br> USCBLZF2HF2 <br> 0NPA0K <br><br><br><br><br><br><br><br><br> ME <br><br><br> 6Q <br><br><br> IGC4EP4A2 <br><br><br><br><br><br>
</head>
</html>
Here’s the curl session
C:\Users\Cooking>curl "https://bit.ly/3zGKjDF"
<html>
<head><title>Bitly</title></head>
<body><a href="http://sindh.shakyhot.link/usmys2">moved here</a></body>
</html>
When I send that URL to curl the response comes back empty. I do not get an error but there is no content. If I try it in a browser, MalwareBytes flags it as a phishing and won’t let me load it. So I’m guessing the server figures out I’m not using a browser so sends a null response.
Gotta love that url. 
You could try using the -A option to curl to set the user agent. By default curl identifies itself as the user agent, but you can override it to anything you like.
Curl really is the Swiss Army knife of access tools. Not just a matter of a kitchen sink, but how many and what colours.
Thanks for that. I haven’t really dived into it. I will now make it a point to review the help page.