Drive-By Email Messages Infect Readers Immediately
A still from the 1991 movie 'Boyz n the Hood.'
CREDIT: Columbia Pictures
For the past few years, drive-by downloads have been the bane of computer-security professionals. These malicious Trojans lurk inside seemingly innocuous Web pages and try to infect any browser that visits them. If a user doesn't have strong anti-virus software installed on his PC, he'll be immediately infected just by looking at the Web page.
Now this "instant-infection" threat has moved to an even more dangerous forum: email. A new class of drive-by email messages has been discovered that infect users who simply view a message, or possibly just glance at it in a preview window.
Many email messages, especially those sent by online retailers, are full of HTML — Web-based coding that allow images, formatted text and even movies to be displayed in the body of the messages. But because those messages have essentially become mini-Web pages, they are vulnerable to the same sort of exploits that plague websites.
Eleven said this new threat has been spotted in emails that pretend to come from the Federal Deposit Insurance Corporation, the U.S. government's insurance plan for consumer bank deposits. The subject heading is "Banking security update," but it's likely that variants on that theme are in the works.
The U.S. security giant Symantec spotted a very similar fake FDIC email message with the subject line "Update for your banking account." It carried the malicious HTML file as an attachment. It's not clear whether that message was an earlier version of the one Eleven found, or the same one viewed through an email client that had HTML rendering disabled.
Disabling HTML rendering in incoming email messages is indeed the best and most simple defense against this new threat, whether you're using a stand-alone email application like Microsoft Outlook or a Web-based service like Gmail.
Unfortunately, while you can usually send messages in plain text, it's not always easy or even possible to get incoming messages to display that way.
We found that it can be done in Outlook 2007 via Tools --> Trust Center --> E-mail Security --> Read all standard mail in plain text. Earlier versions of Outlook use Tools --> Options --> Read --> Read all messages in plain text.
As always, your final line of defense against drive-by downloads, whether from a Web page or an email message, is to install a robust anti-virus application and make sure it's always on and updated.