4. Opening HTML or Plain-text Messages from Unknown Senders
While most end users today are aware, if not respectful, of the dangers associated with opening email attachments from strangers, many are not aware of the threats that may lie in a normal, everyday text or HTML message that contains no enclosure. Most of these users are those who have not updated their computer training lately, and still labor under the illusion that only email attachments can contain malware.
Many experts now believe that HTML mail poses a threat that may eventually be as serious as the traditional email attachment. HTML text -- and increasingly, images -- can be infected with spyware, and in some cases, executable code. In July, experts at iDefense Labs, the security research arm of Verisign, discovered a new, relatively simple method of embedding shell code into commonly-loaded Web images, such as computer graphics, online photos, or PDF documents. (See Lethal Shell Game.)
HTML files may contain Java Scripts, ActiveX controls, or macros that can allow an attacker to gain control of a PC or turn into a botnet zombie, noted Finjan, in a White Paper issued last month. "The vast majority of Web pages contain one or more types of active content, with an unmistakable trend toward increasing use of active content in Web pages," the company said.
In a study of the Web surfing habits of some 15,000 business users, Finjan found that about 6.9 percent of HTML traffic contained at least one content type that violated the security policy of the enterprise involved. Studies such as these have caused some enterprises to restrict the use of HTML email, or even disallow it altogether.
"There is plenty of active-content spam out there, and phishers use it, too," says Cigital's McGraw. "When in doubt, delete it without looking at it. If it's important, real mail, the sender will try again -- or maybe even pick up the phone."