You’re busy, so I’ll say this fast and loud: DON’T OPEN UNEXPECTED ZIP FILES THAT ARRIVE AS EMAIL ATTACHMENTS. Suddenly, there are a lot of them around.
Users who fall for the trick and decompress a zip attachment by clicking on it don’t see an executable file — but rather a .js file or similar — and run the code. The two-step technique is obviously working for criminals.
The emails arrive in typical fashion. One promised me a “confirmation letter.” A more clever version offered a travel expense sheet. The most believable says “voice message from outside caller.”
Why is it back?
Well-configured spam and security software should protect organizations from this attack. So why are spammers suddenly adopting the technique again?
“As long as your organization’s network is administered correctly, there’s no real chance of infection. Which begs a question. Why do we still see this malspam [malicious spam] every day?” writes SANS on an analysis of the attack. “The answer? We assume enough people get infected, so sending .js malspam is profitable for the criminals behind this operation. Why else would we still see it?”
Akin to the IRS scam, which just keeps working and working, infected zip attachments are popping up all over because they work.
You can see a lot more examples of the spam at that SANS link, but here’s the other essentials from their analysis:
- This malspam appears to target Windows computers.
- The user must open the zip attachment, extract the .js file, and manually run the .js file.
- A properly administered Windows host using software restriction policies should prevent an infection.
Again, zip attachments are hardly new. And even this particular version of attack isn’t that new — the SANS analysis was from last year.
But here’s an important lesson about digital security I learned from Bruce Schneier many years ago. Attacks move in awareness cycles. There’s a new attack (Click on this attachment!) that works. Bad guys copycat it. It works on a large scale. Then consumers become painfully aware of it, learn their lesson, and stop clicking. The technique becomes exhausted, and bad guys move on. People forget about it and let their guard down. Then, a bad guy rediscovers the attack, tries it, and it works. And the cycle begins again.
That’s where we are with zip files, it would seem.
So if you would never fall for the zip file attack, good for you. I promise you know someone who will. So now is the time to offer a gentle reminder: Nothing good ever comes from unexpected zip files.
More from Bob Sullivan: