Don’t Click on That: Infected Zip Files are Invading Email Again

Advertising Disclosure: When you buy something by clicking links on our site, we may earn a small commission, but it never affects the products or services we recommend.

enzezo / Shutterstock.com

You’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Suddenly, there are a lot of them around.

That advice is nearly as old as email, but as they say, everything old is new again. And the internet is newly awash in spam sending out booby-trapped zip file attachments. My inbox has seen a steady trickle of the stuff for the past couple of months, but I didn’t think much of it until I chatted with Sophos Chief Technology Officer Joe Levy this week. Zip archives that contain malicious JavaScript files are on the rise, he said.

Users who fall for the trick and decompress a zip attachment by clicking on it don’t see an executable file — but rather a .js file or similar — and run the code. The two-step technique is obviously working for criminals.

Sophos data show a dramatic rise in zip-javascript spam. In fact, it shows zip files with poisonous javascript have pretty much completely replaced Office attachments (infected Word documents or spreadsheets) as the attack technique preferred by spammers. So if you’ve received spam recently, you’ve probably received an infected zip attachment.

The emails arrive in typical fashion. One promised me a “confirmation letter.” A more clever version offered a travel expense sheet. The most believable says “voice message from outside caller.”

Why is it back?

Well-configured spam and security software should protect organizations from this attack. So why are spammers suddenly adopting the technique again?

“As long as your organization’s network is administered correctly, there’s no real chance of infection. Which begs a question. Why do we still see this malspam [malicious spam] every day?” writes SANS on an analysis of the attack. “The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it?”

Akin to the IRS scam, which just keeps working and working, infected zip attachments are popping up all over because they work.

You can see a lot more examples of the spam at that SANS link, but here’s the other essentials from their analysis:

  • This malspam appears to target Windows computers.
  • The extracted file is Javascript-based, and the infection requires user action.
  • The user must open the zip attachment, extract the .js file, and manually run the .js file.
  • A properly administered Windows host using software restriction policies should prevent an infection.

Again, zip attachments are hardly new. And even this particular version of attack isn’t that new — the SANS analysis was from last year.

But here’s an important lesson about digital security I learned from Bruce Schneier many years ago. Attacks move in awareness cycles. There’s a new attack (Click on this attachment!) that works. Bad guys copycat it. It works on a large scale. Then consumers become painfully aware of it, learn their lesson, and stop clicking. The technique becomes exhausted, and bad guys move on. People forget about it and let their guard down. Then, a bad guy rediscovers the attack, tries it, and it works. And the cycle begins again.

That’s where we are with zip files, it would seem.

So if you would never fall for the zip file attack, good for you. I promise you know someone who will. So now is the time to offer a gentle reminder: Nothing good ever comes from unexpected zip files.

More from Bob Sullivan:

Get smarter with your money!

Want the best money-news and tips to help you make more and spend less? Then sign up for the free Money Talks Newsletter to receive daily updates of personal finance news and advice, delivered straight to your inbox. Sign up for our free newsletter today.