Once users click on the opt-out hyper link, they are taken to a malicious Web page. If users pass their curser over a scroll bar, an .exe file is downloaded onto their machine, making it available to remote control, according to Natasha Staley, an information security analyst with MessageLabs, Inc., a managed email security firm based in New York. Staley says they have not found a high number of these emails in circulation, but they are concerned that this is the very beginning of a new trend in online assaults.
''Now that we've seen it once, the likelihood is that we'll be seeing it again,'' says Staley, who adds that this is a potentially highly dangerous attack method. ''When it's something as apparently innocent as running your [curser] over the scroll bar, how do you defend against that? There's nothing there to set your alarm bells ringing.''
What gives this new form of social engineering a boost is the fact that the U.S. government passed the Can-Spam Act, which calls for all spam to contain an opt-out link within the message. The government mandate adds a sense of credibilty to this new opt-out ruse. Users might think that since the law calls for the link to be included in the message, clicking on it could stop the ever-increasing flow of spam into their in-boxes.
Generally, clicking on an opt-out link simply tells the spammer that they've stumbled upon a working address, which they can then continue using or even sell it to other spammers. Now clicking on the link could make the machine part of a spammer's army of zombie computers, ready to send out millions of pieces of spam, launch denial-of-service attacks, or offer up critical personal information on the PCs owner.
''The government asked spammers to put in an opt-out link, and that could well be the reason why these spammers chose to do this,'' says Staley. ''They think people are more likely to trust opt-out links because the government got involved with it. Now it's a gray area and users aren't sure if they should click on it or if they shouldn't.
''Ask yourself if you trust this spammer,'' she adds. ''Do you really believe they'll take your email address off their list anyway? The answer to that is generally no... Do not click on the opt-out link. Just delete the email.''