Endpoint Protection

Recently, we reported how HTML attachments were being used in various spam campaigns such as phishing attacks, email harvesting attacks, and 419 scams. Spammers have included a few more file formats, again in an attempt to escape anti-spam filters. As experienced previously with HTML attachments, these new file formats are also getting used in several different spam categories.

In the first example, we discuss the MHT file format attached with phishing emails. When a Web page is saved as a Web archive in Internet Explorer, it gets saved to a Multipurpose Internet Mail Extension HTML format with an MHT extension. Further information can be found here. An attached MHT file works similar to an HTML file and opens a legitimate-looking Web page. This Web page looks exactly like a legitimate bank page, asking for critical financial information from the recipients. This information can also be submitted to the phisher’s site. Most importantly, this kind of attachment can be malicious and also carry risks, similar to an attached HTML file.



Translation (Italian to English) of Mail body:

Dear Customer [Bank’s name]
For security reasons we have suspended your on-line access to your current account.
Our security measure is designed to help protect our customers and their accounts. Next you must reconfirm your personal details in relation to the current account to restore the functionality of your account, and thus confirm that it has not been the victim of information theft.
We thank you for your kind cooperation.
[Bank’s name and address]

In the second example we see 419 scammers using a different kind of attachment–an EFX file format. EFX is an eFax document. eFax is a service that allows users to receive and send fax documents in a digital format, such as an email attachment. Scammers are already using TXT/DOC/RTF/PDF/HTML file formats for their campaigns and now they now have started using EFX file format. The simplicity of such services and wide usage of the file format may have tempted scammers to experiment. We call this an experiment, because the attached file couldn’t be opened.



We think utilizing new file formats for different spam campaigns is a way of attempting to confuse anti-spam filters and users as well. Symantec is monitoring these attacks, creating effective filters, and keeping users fully informed of new attacks. However, users should be careful while opening attachments, ensuring the source/sender is a trusted one. Also, users need to be cautious of unknown file types and should understand the capabilities of the new file type encountered before attempting to open it.

Note: Thanks to Danyang Wang for contributed content.