Don’t Click on That: Infected Zip Files are Invading Email Again

Photo by enzezo / Shutterstock.com

You’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Suddenly, there are a lot of them around.

That advice is nearly as old as email, but as they say, everything old is new again. And the internet is newly awash in spam sending out booby-trapped zip file attachments. My inbox has seen a steady trickle of the stuff for the past couple of months, but I didn’t think much of it until I chatted with Sophos Chief Technology Officer Joe Levy this week. Zip archives that contain malicious JavaScript files are on the rise, he said.

Users who fall for the trick and decompress a zip attachment by clicking on it don’t see an executable file — but rather a .js file or similar — and run the code. The two-step technique is obviously working for criminals.

Sophos data show a dramatic rise in zip-javascript spam. In fact, it shows zip files with poisonous javascript have pretty much completely replaced Office attachments (infected Word documents or spreadsheets) as the attack technique preferred by spammers. So if you’ve received spam recently, you’ve probably received an infected zip attachment.

The emails arrive in typical fashion. One promised me a “confirmation letter.” A more clever version offered a travel expense sheet. The most believable says “voice message from outside caller.”

Why is it back?

Well-configured spam and security software should protect organizations from this attack. So why are spammers suddenly adopting the technique again?

“As long as your organization’s network is administered correctly, there’s no real chance of infection. Which begs a question. Why do we still see this malspam [malicious spam] every day?” writes SANS on an analysis of the attack. “The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it?”

Akin to the IRS scam, which just keeps working and working, infected zip attachments are popping up all over because they work.

You can see a lot more examples of the spam at that SANS link, but here’s the other essentials from their analysis:

  • This malspam appears to target Windows computers.
  • The extracted file is Javascript-based, and the infection requires user action.
  • The user must open the zip attachment, extract the .js file, and manually run the .js file.
  • A properly administered Windows host using software restriction policies should prevent an infection.

Again, zip attachments are hardly new. And even this particular version of attack isn’t that new — the SANS analysis was from last year.

But here’s an important lesson about digital security I learned from Bruce Schneier many years ago. Attacks move in awareness cycles. There’s a new attack (Click on this attachment!) that works. Bad guys copycat it. It works on a large scale. Then consumers become painfully aware of it, learn their lesson, and stop clicking. The technique becomes exhausted, and bad guys move on. People forget about it and let their guard down. Then, a bad guy rediscovers the attack, tries it, and it works. And the cycle begins again.

That’s where we are with zip files, it would seem.

So if you would never fall for the zip file attack, good for you. I promise you know someone who will. So now is the time to offer a gentle reminder: Nothing good ever comes from unexpected zip files.

More from Bob Sullivan:

Disclosure: The information you read here is always objective. However, we sometimes receive compensation when you click links within our stories.

Read Next
21 Items to Cut From Your Budget That You Won’t Even Miss
21 Items to Cut From Your Budget That You Won’t Even Miss

Start off the new year by implementing these small-but-smart savings strategies. They’ll soon add up.

Can My Wife Use My Social Security Benefits While Letting Hers Grow?
Can My Wife Use My Social Security Benefits While Letting Hers Grow?

Your self-discipline in not uttering three little words helps determine whether you can use a key claiming strategy.

16 Products You Absolutely Do Not Need
16 Products You Absolutely Do Not Need

There are plenty of great ways to spend your money, but you can safely leave these products on the store shelf.

How to Fix 6 Common Retirement Mistakes
How to Fix 6 Common Retirement Mistakes

Here’s how to strengthen your nest egg before or even during your golden years so these missteps don’t ruin your retirement.

7 Steps to Keep Your Car Looking Like New
7 Steps to Keep Your Car Looking Like New

Take a few steps to preserve the beauty of your car, and you stand to get a lot more money at trade-in time.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Most Popular
7 Kirkland Signature Items to Avoid at Costco
7 Kirkland Signature Items to Avoid at Costco

Even if it seems you save a bundle buying Costco’s Kirkland Signature brand products, they may not be the bargain they appear to be.

Am I Eligible for My Mother’s Social Security Benefit?
Am I Eligible for My Mother’s Social Security Benefit?

Can an adult daughter tap into her late mother’s benefit?

9 Things You’ll Never See at Costco Again
9 Things You’ll Never See at Costco Again

The warehouse store offers an enormous selection, but these products aren’t coming back.

3 Ways to Get Microsoft Office for Free
3 Ways to Get Microsoft Office for Free

With a little ingenuity, you can cut Office costs to zero.

This Surprise Factor Can Raise Your Risk of Dementia
This Surprise Factor Can Raise Your Risk of Dementia

Nearly half of U.S. residents may face this threat.

Organize Your Home With These 10 Thrift Store Finds
Organize Your Home With These 10 Thrift Store Finds

Resolve to be clutter-free in 2021 with these secondhand purchases.

11 Laws You Could Be Breaking Without Knowing It
11 Laws You Could Be Breaking Without Knowing It

Seriously? Fibbing about the weather is a crime? This and other little-known legal traps await the unwary.

Is This Treatable Condition Causing Your High Blood Pressure?
Is This Treatable Condition Causing Your High Blood Pressure?

Researchers say too many doctors are overlooking this potential source of hypertension.

13 Things Seniors Can Get for Free — or Almost Free
13 Things Seniors Can Get for Free — or Almost Free

There are many ways to get cheap or free services and goods after reaching a certain age.

These Are the 3 Best Used Cars You Can Buy
These Are the 3 Best Used Cars You Can Buy

These vehicles boast reliability, safety and long-lasting value.

6 Legal Documents Retirees Need — but Don’t Have
6 Legal Documents Retirees Need — but Don’t Have

Few retirees have all of these documents that are crucial to their golden years — especially during a pandemic.

Internet Providers Can’t Charge You for This Anymore
Internet Providers Can’t Charge You for This Anymore

Starting this month, your ISP no longer can bill you for this fee.

15 Painless Ways You Can Cut Costs in 2021
15 Painless Ways You Can Cut Costs in 2021

Follow these tips to save, so you’ll have money for things that really matter.

9 Small Expenses That Are Bleeding Your Budget Dry
9 Small Expenses That Are Bleeding Your Budget Dry

Keep more of future paychecks by eliminating these budget-busting unnecessary expenses.

11 Huge Retirement Costs That Are Often Overlooked
11 Huge Retirement Costs That Are Often Overlooked

Does your retirement budget account for all of these costs?

7 Tricks to Cleaning Your Bathroom Faster
7 Tricks to Cleaning Your Bathroom Faster

These tips can get your bathroom sparkling with little time and no elbow grease.

7 Bank Accounts With Extra Perks for Seniors
7 Bank Accounts With Extra Perks for Seniors

These accounts offer exclusive discounts and other perks — including interest — to older customers.

10 Times You’re Right to Be a Cheapskate
10 Times You’re Right to Be a Cheapskate

Clever shoppers can save money without sacrificing quality. Here is how to do it.

20 Amazon Purchases We Loved in 2020
20 Amazon Purchases We Loved in 2020

These practical products made everyday life a little easier last year — and will do so in the new year, too.

View More Articles

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started

Add a Comment

Our Policy: We welcome relevant and respectful comments in order to foster healthy and informative discussions. All other comments may be removed. Comments with links are automatically held for moderation.