Pages

Thursday, 26 November 2015

html enclosed

Does your email filter check for html files? If so, what does it do?

I just received one.

From: PayPal <intl2@security.net>
Subject: Online Account Verification
Parts/Attachments:

Dear Customer

Please take a few minutes out of your online experience to know why we have limited the access (temporarily) to your account.

The time it takes to restore the access is usually uncertain; depending on the type of issue, it may take our security team a few minutes or hours to resolve the problem.

There are a variety of reasons why an account is set to Limited; One of them is un-authorized access (another user tried to use your account without your consent).

An attachment is given to you through this notification. Please download and open it in your browser to verify your account.

Our security team will immediately review the information you have provided, and your account should be restored back to normal.

We would like to thank you for your attention to this matter.

Sincerely,
PayPal Account Security Division


It includes an obfuscated javascript program. I'm not going to try to de-obfuscate it, because the obfuscation is clear evidence that it's doing something fishy.


SHA1 8ab4172e11f81cee016dff09cfd50a3e86f94810
SHA256 713a848d3613d1f9243574a171bec958e2127695fe6e3f60df0f353c654eb081

Jotti says that only Sophos flags it, 20 other products say it's OK.
Virustotal says that only Sophos flags it, 54 other products say it's OK.
Metascan says that only Sophos and Preventon flag it, 41 other products say it's OK.

 "Ah, but," you might think, "I'm running NoScript, which will prevent dodgy javascripts from running." And you're probably wrong. NoScript blocks javascript based on which web site is running it; if you allow a web site to run javascript, then you're trusting it until you change your mind, which probably won't happen, because why would you? And if you click on this html attachment, the javascript is being run from your own computer and you've probably already decided that you can trust yourself! So the script will run, and although I can't tell you exactly what it does, I'm pretty sure it will be something that you really really don't want.

So does your email filter check for html files? If so, what does it do?

No comments:

Post a Comment