Don’t Click on That: Infected Zip Files are Invading Email Again


What's Hot


The Most Sinful City in the U.S. Is … (Hint: It’s Not Vegas)Family

How a Mexican Tariff Will Boost the Cost of 6 Common PurchasesFamily

This Free Software Brings Old Laptops Back to LifeMore

How to Protect Yourself From the ‘Can You Hear Me?’ Phone ScamFamily

Report: Walmart to Begin Selling CarsCars

Where to Sell Your Stuff for Top DollarAround The House

Is Your TV Tracking You? Here’s How to Tell — and Prevent ItAround The House

11 Staging Tips to Help You Get Top Dollar When Selling Your HomeAround The House

21 Restaurants Offering Free Food Right NowSaving Money

20 Simple Hacks to Make Your Stuff Last LongerAround The House

4 Car Insurers That Might Raise Rates Even When the Accident Wasn’t Your FaultCars

How to Invest If Trump Kills the ‘Fiduciary Rule’Grow

12 Surprising Ways to Wreck Your Credit ScoreBorrow

9 Secret Ways to Use Toothpaste That Will Make You SmileAround The House

The 2 Types of Music That Most Improve Dog BehaviorFamily

Just when you've turned your attention to a new cyberthreat, an old one has resurfaced. Don't be caught by surprise.

You’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Suddenly, there are a lot of them around.

That advice is nearly as old as email, but as they say, everything old is new again. And the internet is newly awash in spam sending out booby-trapped zip file attachments. My inbox has seen a steady trickle of the stuff for the past couple of months, but I didn’t think much of it until I chatted with Sophos Chief Technology Officer Joe Levy this week. Zip archives that contain malicious JavaScript files are on the rise, he said.

Users who fall for the trick and decompress a zip attachment by clicking on it don’t see an executable file — but rather a .js file or similar — and run the code. The two-step technique is obviously working for criminals.

Sophos data show a dramatic rise in zip-javascript spam. In fact, it shows zip files with poisonous javascript have pretty much completely replaced Office attachments (infected Word documents or spreadsheets) as the attack technique preferred by spammers. So if you’ve received spam recently, you’ve probably received an infected zip attachment.

The emails arrive in typical fashion. One promised me a “confirmation letter.” A more clever version offered a travel expense sheet. The most believable says “voice message from outside caller.”

Why is it back?

Well-configured spam and security software should protect organizations from this attack. So why are spammers suddenly adopting the technique again?

“As long as your organization’s network is administered correctly, there’s no real chance of infection.  Which begs a question.  Why do we still see this malspam [malicious spam] every day?” writes SANS on an analysis of the attack. “The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it?”

Akin to the IRS scam, which just keeps working and working, infected zip attachments are popping up all over because they work.

You can see a lot more examples of the spam at that SANS link, but here’s the other essentials from their analysis:

  • This malspam appears to target Windows computers.
  • The extracted file is Javascript-based, and the infection requires user action.
  • The user must open the zip attachment, extract the .js file, and manually run the .js file.
  • A properly administered Windows host using software restriction policies should prevent an infection.

Again, zip attachments are hardly new. And even this particular version of attack isn’t that new — the SANS analysis was from last year.

But here’s an important lesson about digital security I learned from Bruce Schneier many years ago. Attacks move in awareness cycles. There’s a new attack (Click on this attachment!) that works. Bad guys copycat it. It works on a large scale. Then consumers become painfully aware of it, learn their lesson, and stop clicking. The technique becomes exhausted, and bad guys move on. People forget about it and let their guard down. Then, a bad guy rediscovers the attack, tries it, and it works. And the cycle begins again.

That’s where we are with zip files, it would seem.

So if you would never fall for the zip file attack, good for you. I promise you know someone who will. So now is the time to offer a gentle reminder: Nothing good ever comes from unexpected zip files.

More from Bob Sullivan:

Stacy Johnson

It's not the usual blah, blah, blah

I know... every site you visit wants you to subscribe to their newsletter. But our news and advice is actually worth reading! For 25 years, I've been making people richer without making their eyes glaze over. You'll be glad you did. I guarantee it!

💰🗣📰

Read Next: 9 Ways to Prepare Yourself for the Next Recession

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,801 more deals!