Hotmail flaw leads to targeted attacks against corporate employees


It looks like we’re fighting a new war that can prove more dangerous than gun-wielding soldiers and atomic bombs, perpetrated by a faceless attacker with a bunch of seemingly harmless scripts and characters strewn together —- scripts not many people understand. So how do we protect ourselves, our privacy and our information?

Engineers from TrendLabs, the research laboratory of security firm Trend Micro, have discovered the source of a targeted email attack detected in the wild over the last two weeks. The attack involved email messages sent through Hotmail, where a previously unpatched vulnerability in its content filtering mechanism was exploited through the use of a malicious email message identified as HTML_AGENT.SMJ. The said email message pretended to come from the Facebook Security Team.

Targeted users of the attack receive seemingly innocuous email messages that contain an embedded script, which automatically executes when the user opens the email. The embedded email script then connects to a specific website that downloads another script, JS_AGENT.SMJ.

This last script captures all of the affected users’ emails and forwards them to another email address. It continues to forward messages from targeted users to the author of the malware until the user logs out of their webmail.

Microsoft has already updated Hotmail to fix the vulnerability but not before cybercriminals have found a way to take advantage of it.

TrendLabs Threat Response Engineer Karl Dominguez said that employees who open their personal Hotmail accounts in their offices risk exposing their corporate data to the attack. Among the information that can be stolen are contacts, other log-in credentials, and confidential corporate messages.

Dominguez stressed that companies must also take steps in ensuring that their networks are safe from outside attacks. Cybercriminals are using social engineering to exploit the curiosity and love for social networking sites of office workers in order to gain access to more important corporate data.

“Always patch your browsers, applications, and operating systems; update your security software regularly; only access trustworthy websites; disable scripting or limit it to trustworthy sites; use alternative browsers; and always use original software. These are the most important things that should be remembered in our fight against cybercriminals,” according to Dominguez.