Targeted Webmail Attack Leads to Data Theft

Written by: Danielle Veluz

We've recently discovered an attack that highlights the risks involved in accessing personal Webmail accounts at work. It takes advantage of a previously unpatched vulnerability in Hotmail and automatically executes a malicious JavaScript when a specific email message is previewed. A successful attack leads to the theft of possibly critical information.

How do the malware arrive on users' systems?

Users preview a specially crafted email message written in Chinese with the subject, "Have you ever logged in to Facebook from an unknown location?" The email message appears to target specific recipients and informs them that their Facebook accounts have been temporarily locked down as these have been accessed from unknown locations. It also contains an embedded script that Trend Micro detects as HTML_AGENT.SMJ. The script connects to the URL http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} and downloads a JavaScript detected as JS_AGENT.SMJ.

Figure 1. Sample Webmail inbox with the email message's preview

What are JS_AGENT.SMJ's routines?

JS_AGENT.SMJ steals information such as the affected users' list of email contacts and relevant email messages. The stolen information is forwarded to specific email addresses. It also posts how many times the users' read email messages in their inbox.

What vulnerability does this attack take advantage of?

The attack took advantage of a script or a CSS filtering mechanism bug in Hotmail (CVE-2011-1252). Hotmail's faulty filtering mechanism helped inject a character into the CSS parameters to convert the script into two separate lines for further rendering on a Web browser's CSS engine. This allowed cybercriminals to create a code that allowed them to run arbitrary commands during the affected users' active Hotmail login session.

Microsoft has already taken action and has updated Hotmail to patch the said bug.

What makes this a seemingly targeted attack?

The URL used in the attack strongly suggests that it is targeted. It contains two variables—the {user account name}, which is the target user’s Hotmail ID, and the {number}, which is a predefined number the attacker set. The number seems to determine which malicious payload to execute. We also found that the script only triggers information theft if certain numbers are plugged in to the number field.

How does this attack affect users?

This attack shows the risks that companies take when they allow their employees to access their personal Webmail accounts at work. User information can be stolen and can possibly be used by the perpetrators to stage other fraudulent activities (e.g., spamming and phishing). Apart from compromising the affected employees' security, cybercriminals can also obtain confidential company data. The stolen information may then be sold underground or be used to stage even more sophisticated targeted attacks.

Why is this attack noteworthy?

The cybercriminals behind this targeted attack deviated from their usual tactic—attaching the malicious file to the email message or embedding a malicious link pointing to a malware download in the message. All it took for the malware to execute was previewing the specially crafted email message.

It also took advantage of an unpatched vulnerability and employed a social engineering tactic to compromise infected systems' security. Last but not least, the attack required very little user intervention.

Are Trend Micro users protected from this threat?

Yes. Trend Micro product users are protected from this attack via its Trend Micro™ Smart Protection Network™which detects and prevents related spammed messages from reaching users' inboxes via the Email Reputation Technology. Web Reputation Technology blocks access to all of the related URLs. Finally, File Reputation Technology prevents the execution of the malicious scripts.

To further ensure safety, users are urged to always keep their systems up-to-date. Companies, on the other hand, are advised to set strict security policies, especially with regard to accessing personal Webmail accounts at work. Knowing about the latest trends in the threat landscape also raises awareness on how companies and users alike can protect their systems and information.

The resolution of this particular incident was, according to Microsoft, a result of its continuous cooperation with Trend Micro and their shared commitment to protecting users via Coordinated Vulnerability Disclosure.

Expert Insights:

"The best defense against cross-site scripting (CSS) heavily relies on eliminating scripting vulnerabilities on the part of Web developers. Users, on the other hand, can generally minimize risks by enabling their browser's CSS filter, by using a firewall, and by disabling scripting, if at all possible. Typing addresses directly into one's browser address bar or using bookmarks may also prove effective against CSS attacks, as opposed to clicking links embedded in email messages and Web pages." —Karl Dominguez, Threat Response Engineer