New email BlackHole exploit attack has embedded JavaScript & iframe
A few days ago I discovered an email scam that tries to directly deliver the BlackHole Exploit Kit to victims, inside the message body of those emails. The Subject used was: "Re: URGENT" and the sender addresses spoofed Twitter, LinkedIn and sbcglobal.net customers. In all cases, the hostile code was no longer reached via links, but simply by opening the email in your email client, with HTML display enabled and iframes allowed.
Rather than delving into a big technical discussion about the exploit itself (which I have covered numerous times), this article will attempt to help protect you from being exploited by it, or another like it.
We first need to define how the attack inside these email messages is triggered. This is accomplished by a two pronged attack. One is the exploit code itself is embedded inside the message body, inside <script> tag sets. The second is by means of an HTML "iframe" tag, with the "src" (source) being a remote server or website that is hosting the BlackHole attack kit.
The criminals that sent this to you are hoping to exploit you if your email reader is set to render HTML and scripting. Many users allow these things by default. The second method is used to attack you in the event you disallow scripting, but do allow iframe contents to be rendered. This is a tricky one-two punch.
Here are some ways you can protect your computers from being exploited by the embedded BlackHole attacks.
The by far simplest way to block all scripted and iframe attacks is by setting your email client to display email in plain text. Plain text cannot render scripts, iframes, or any other HTML formatting. It cannot even display inline images. It's boring, but safe.
Explore the options or preferences available for your email system and apply Read in Plain Text, if it is available. Webmail users will often have a link on the upper right side labeled (Email) Options or Preferences, or similar. Outlook Express and Windows Live Mail users can easily make this change by locating their Options > Email > Read and change the reading format to "Read all messages in plain text," then apply the change.
However, plain text will mangle the content of an HTML formatted message. It is just as safe for Outlook Express and Windows Live Mail users to allow HTML messages, but check the box to render them in the "Restricted Sites Zone." In Windows Live Mail, this is found by clicking the down arrow in the blue button on the upper left side (just under the title bar), which drops down several options. One is labeled "Options." Click on Options and select the Safety Options choice. Click the Security tab. Under: "select the security zone to use" - check "Restricted sites zone (More secure)" - then click Apply, at the bottom right corner.
Make sure that you have not loosened the restrictions in the Restricted Sites Zone. This is found by means of either Internet Explorer's Internet Options, or Control Panel's Internet Options. From Internet Explorer, click on Tools > Internet Options > Security tab. Click on the Restricted sites icon (red circle with slanted line) and if not already there, set the slider to High, then click Apply to save the the change. Also, if you see the checkbox to Enable Protected Mode, check it and apply.
In both instances, you need to close and re-open your email client or browser.
If you use Firefox as your browser and email reader, install the NoScript Add-on and enable it. By default, it blocks JavaScript, Java, Flash and iframes, among many other known exploit vectors.
For other desktop email clients, search for your options, as they apply to safety, scripting, HTML and iframes and tighten them to the highest level you can tolerate.
You must have anti malware protection nowadays. Free anti-virus is either barely adequate, or useless altogether. In order to keep pace with the rapidly morphing malware attacks, one needs commercial security software, with definitions in the cloud, in addition to onboard. I have chosen Trend Micro to protect all of my computers.
Finally, even with heightened security settings, I do not trust Windows Live Mail 100%. I run Firetrust's MailWasher Pro ahead of Windows Live Mail. It checks mail on the interval I set, inspecting the number of lines of code I deem important, then classifies each incoming message according to my own custom spam filters, my own blacklisted and whitelisted senders, its built-in spam learning filter, online spam blocklists, and other criteria. Most spam and malware threats are automatically deleted instantly. Others are marked as either spam, or unclassified, drawing my attention. If they are threats or spam, I delete them manually, while also reporting them to SpamCop.
Only after dealing with spam, scams, malware and read messages, do I manually check for new mail in Windows Live Mail (turn OFF checking on any interval in WLM, or OE). Note, that WLM and OE still forcibly run a check for new mail every 8 hours, even with interval checking unchecked! Just keep this in mind.
If you use Microsoft Outlook, there are plenty of options available for safely displaying possibly dangerous content. Go through your program's email options.
Oh, and just because an email sender name is one you recognize, do not automatically assume that they sent it knowingly. Spammers spoof sender names and accounts to trick recipients, This after hacking those user's email accounts to steal their contact lists.
I hope this helps to protect you from the criminals behind the BlackHole Exploit Kit and similar exploit kits.