Hackers are using a new ruse to trick users, rigging the opt-out link in
spam to download a hidden executable and turn the PC into an open proxy.
Once users click on the opt-out hyper link, they are taken to a
malicious Web page. If users pass their curser over a scroll bar, an
.exe file is downloaded onto their machine, making it available to
remote control, according to Natasha Staley, an information security
analyst with MessageLabs, Inc., a managed email security firm based in
New York. Staley says they have not found a high number of these emails
in circulation, but they are concerned that this is the very beginning
of a new trend in online assaults.
”Now that we’ve seen it once, the likelihood is that we’ll be seeing it
again,” says Staley, who adds that this is a potentially highly
dangerous attack method. ”When it’s something as apparently innocent as
running your [curser] over the scroll bar, how do you defend against
that? There’s nothing there to set your alarm bells ringing.”
What gives this new form of social engineering a boost is the fact that
the U.S. government passed the Can-Spam Act, which calls for all spam to
contain an opt-out link within the message. The government mandate adds
a sense of credibilty to this new opt-out ruse. Users might think that
since the law calls for the link to be included in the message, clicking
on it could stop the ever-increasing flow of spam into their in-boxes.
Generally, clicking on an opt-out link simply tells the spammer that
they’ve stumbled upon a working address, which they can then continue
using or even sell it to other spammers. Now clicking on the link could
make the machine part of a spammer’s army of zombie computers, ready to
send out millions of pieces of spam, launch denial-of-service attacks,
or offer up critical personal information on the PCs owner.
”The government asked spammers to put in an opt-out link, and that
could well be the reason why these spammers chose to do this,” says
Staley. ”They think people are more likely to trust opt-out links
because the government got involved with it. Now it’s a gray area and
users aren’t sure if they should click on it or if they shouldn’t.
”Ask yourself if you trust this spammer,” she adds. ”Do you really
believe they’ll take your email address off their list anyway? The
answer to that is generally no… Do not click on the opt-out link. Just
delete the email.”
This new ruse takes advantage of a flaw in Microsoft Corp.’s Internet
the malicious code when the user’s curser passes over the scroll bar on
the Web page.