The Risks of HTML-Formatted E-mails
Monday August 20, 2007 at 9:27 am CST
Posted by Alex Hinchliffe
You can love ‘em or hate ‘em, but you can’t stop people sending them. So what are the risks of HTML e-mail?
With HTML-formatted e-mails anything goes, just like on the Web. Data can be invisible (using small or transparent text), obfuscated (using special tags), dynamic (formed inline during rendering), and scriptable (using client-side scripts such as JavaScript and VBScript).
Common malicious behaviour used in SPAM and Phishing e-mail attacks often use HTML anchor tags to obfuscate malicious URLs from victims–resulting in content where WYSI-most-certainly-NWYG.
Aside from these rather obvious problems, McAfee Avert Labs has seen a steady increase in malware capable of infecting HTML content. I say “content,” as most examples of such malware aren’t fussy about what they infect– ASP, JSP, PHP, and other types fall victim to this contemporary technique.
The infection particulars differ among malware families, but the most popular is simply appending an IFRAME tag to the content using the tag’s src= attribute to dynamically write remote content inline to the victim file. Thus far Downloader-AYJ, W32/Fujacks!htm, W32/Wuke!htm, and (most recently) vicious new Chinese virus W32/Xiaoho!htm use this technique.
Another form of this technique, used extensively by the W32/RAHack!htm family, includes the insertion of an OBJECT tag near the beginning of the Web content. This tag includes a CLASSID= attribute to reference executables files on disk via the system registry. Said executables were previously dropped on the victim’s system and are launched once the compromised Web content is rendered.
So, I hear you ask, what does this have to do with e-mails? Well, since the emergence of this technique we have received several submissions of HTML-formatted e-mails containing such infections! Some submissions were even multiply infected, in which every reply or forward on the thread added an infection. This twist on the distribution technique is one the malware author may not have intended, yet it could have spread his malware further and quicker than anyone may have imagined!
Look at the fictitious figure below and answer me this–Do you still want to have that fancy animated, multicoloured e-mail signature? 
August 21st, 2007 at 1:25 am
We’re moving from formatted (holiday, car, software, online trading) emails to .PDF attached files with (no subject) spam email and now the text emails that claims you need to (login, claim) something. I received several yesterday, and they seem to be coming through fast. The number of PDF emails has reduced. Surely the service provider should capture and block emails by content type. I have more spam emails than real ones.
Dear Member,
We are glad you joined Office Antics.
Confirmation Number: 71853973
Temorary Login: user2266
Your Password ID: oc669
Please Change your login and change your Login Information.
Follow this Link: http://xxx.xxx.xxx.xxx/
Welcome,
Membership Support Department
Office Antics