Kompromittierte HTML-Anhänge sind nach wie vor ein beliebtes Einfallstor für Hacker, erklärt Dr. Klaus Gheri, Vice President & General Manager Network Security bei Barracuda Networks, in einem Gastbeitrag. | Compromised HTML attachments continue to be a popular gateway for hackers, explains Dr. Klaus Gheri, vice president & general manager of network security at Barracuda Networks, in a guest post. |
---|---|
HTML-Anhänge stehen auf der Liste der für bösartige Zwecke verwendeten Dateitypen ganz oben. Hypertext Markup Language – kurz HTML – dient dazu, online dargestellte Inhalte zu erstellen und zu strukturieren. Dies passiert häufig auch in der E-Mail-Kommunikation, so in automatisiertem Content wie Newslettern oder Marketingdokumenten, die Benutzer regelmäßig erhalten. Nun kann man aber davon ausgehen, dass praktische, gut gedachte Technologien meistens auch bei Kriminellen sehr beliebt sind. Und tatsächlich ist HTML ein über die Maßen willkommenes Angriffstool der Art, dass gut gestaltete Nachrichten, kompromittierte Webseiten und bösartige HTML-Dateianhänge Benutzer mittels Phishing täuschen sollen, um etwa den Diebstahl von Anmeldedaten zu verschleiern. Mehr noch: Innerhalb der letzten zehn Monate hat sich die Zahl der von Barracuda-Systemen gescannten HTML-Anhänge, die sich als bösartig herausstellten, mehr als verdoppelt. Waren es im Mai vergangenen Jahres bereits 21 Prozent, stieg die Zahl der im Ergebnis auf bösartig gescannten HTML-Dateien im März 2023 auf 45,7 Prozent. Nicht nur das Gesamtvolumen bösartiger HTML-Anhänge nimmt zu, sondern sie sind weiterhin der am häufigsten für bösartige Zwecke verwendete Dateityp. Warum ist das so? Weil es immer noch zuverlässig funktioniert! • Aufklärung und Sensibilisierung der Mitarbeiter, um potenziell bösartige HTML-Anhänge zu erkennen und zu melden. Angesichts des Umfangs und der Vielfalt dieser Art von Angriffen ist es geraten, bei allen HTML-Anhängen stets vorsichtig zu sein, insbesondere bei solchen, die von unbekannten Quellen stammen. Anmeldedaten dürfen niemals an Dritte weitergegeben werden. • Multifaktor-Authentifizierung (MFA) ist nach wie vor eine gute Zugangskontrolle. Nichtsdestotrotz wenden Kriminelle zunehmend fortgeschrittene Social-Engineering-Techniken an, indem sie beispielsweise auf die MFA-Müdigkeit der Mitarbeiter setzen. Zero-Trust-Access-Maßnahmen erhöhen die Sicherheit. Eine effektive Zero-Trust-Lösung überwacht dynamisch mehrere Parameter: Benutzer, Gerät, Standort, Zeit, Ressourcen und weitere, auf die zugegriffen wird. Dadurch wird es für Angreifer deutlich schwieriger, das Netzwerk mit gestohlenen Anmeldedaten zu kompromittieren. • Sollte eine bösartige HTML-Datei dennoch durchkommen, sollten Tools zur Beseitigung bereitstehen, um bösartige E-Mails schnell zu identifizieren und aus den Posteingängen aller Benutzer zu entfernen. Eine automatisierte Incident Response kann dabei helfen, dies zu tun, bevor sich der Angriff in einem Unternehmen ausbreitet. Darüber hinaus kann der Schutz vor Kontoübernahmen verdächtige Kontoaktivitäten überwachen und davor warnen, wenn Anmeldedaten kompromittiert werden. | HTML attachments top the list of file types used for malicious purposes. Hypertext Markup Language – HTML for short – is used to create and structure content displayed online. This is often done in email communications, such as automated content like newsletters or marketing documents that users receive on a regular basis. Now, it’s safe to assume that practical, well-designed technologies are usually popular with criminals as well. And indeed, HTML is a more than welcome attack tool of the kind that well-designed messages, compromised web pages, and malicious HTML file attachments are designed to fool users via phishing, for example, to disguise the theft of login credentials. What’s more, within the last ten months, the number of HTML attachments scanned by Barracuda systems that turned out to be malicious has more than doubled. While it was already 21 percent in May last year, the number of HTML files scanned for malicious in the result rose to 45.7 percent in March 2023.
Many different attacks with individual files
When the recipient opens the HTML file, they are redirected to a phishing website or other malicious content controlled by the criminals through multiple redirects via JavaScript libraries hosted elsewhere. Users are asked to log in to access desired information or download a file that might contain malware. However, things are still getting more perfidious. In some cases, Barracuda researchers have observed that the HTML file itself contains sophisticated malware with the entire malicious payload embedded, including potent scripts and executables. This attack technique is now becoming more common as opposed to externally hosted JavaScript files. Therefore, it is important to analyze the entire email with HTML attachments, all redirects, as well as the content of the email for malicious intent.
Another new feature of attacks is their diversity. The growing number of malicious files detected is not simply the result of a limited number of mass attacks, but rather many different types of attacks, each using specially crafted files. Meanwhile, about a quarter (27 percent) of the detected files are singular, and the remaining three-quarters were iterations or mass distributions of those files.
Not only is the overall volume of malicious HTML attachments increasing, but they continue to be the most common file type used for malicious purposes. Why is that? Because it still works reliably!
What protects against malicious HTML attachments?
– Effective email protection detects malicious HTML attachments and can block them. As described, these are not always easy to detect, so powerful solutions include machine learning and static code analysis that checks the content of an email, not just its attachment. – Employee education and awareness to identify and report potentially malicious HTML attachments. Given the scope and variety of these types of attacks, it is advised to always be cautious of all HTML attachments, especially those that originate from unknown sources. Credentials must never be shared with third parties. – Multifactor authentication (MFA) is still a good access control. Nonetheless, criminals are increasingly using advanced social engineering techniques, such as relying on employee MFA fatigue. Zero-trust access measures enhance security. An effective zero-trust solution dynamically monitors multiple parameters: User, device, location, time, resources and others being accessed. This makes it much more difficult for attackers to compromise the network with stolen credentials. – If a malicious HTML file does get through, remediation tools should be in place to quickly identify and remove malicious emails from all users‘ inboxes. Automated incident response can help do this before the attack spreads throughout an organization. In addition, account takeover protection can monitor suspicious account activity and warn when credentials are compromised.
HTML attachments top the list of file types used for malicious purposes. Hypertext Markup Language – HTML for short – is used to create and structure content displayed online. This is often done in email communications, such as automated content like newsletters or marketing documents that users receive on a regular basis. Now, it’s safe to assume that practical, well-designed technologies are usually popular with criminals as well. And indeed, HTML is an overwhelmingly welcome attack tool of the sort that well-designed messages, compromised web pages, and malicious HTML file attachments are designed to fool users via phishing, for example, to disguise the theft of login credentials. What’s more, within the last ten months, the number of HTML attachments scanned by Barracuda systems that turned out to be malicious has more than doubled. While it was already 21 percent in May last year, the number of HTML files scanned for malicious in the result rose to 45.7 percent in March 2023.
Many different attacks with individual files
When the recipient opens the HTML file, they are redirected to a phishing website or other malicious content controlled by the criminals through multiple redirects via JavaScript libraries hosted elsewhere. Users are asked to log in to access desired information or download a file that might contain malware. However, things are still getting more perfidious. In some cases, Barracuda researchers have observed that the HTML file itself contains sophisticated malware with the entire malicious payload embedded, including potent scripts and executables. This attack technique is now becoming more common as opposed to externally hosted JavaScript files. Therefore, it is important to analyze the entire email with HTML attachments, all redirects, as well as the content of the email for malicious intent.
Another new feature of attacks is their diversity. The growing number of malicious files detected is not simply the result of a limited number of mass attacks, but rather many different types of attacks, each using specially crafted files. Meanwhile, about a quarter (27 percent) of the detected files are singular, and the remaining three-quarters were iterations or mass distributions of those files. Not only is the overall volume of malicious HTML attachments increasing, but they continue to be the most common file type used for malicious purposes. Why is that? Because it still works reliably!
What protects against malicious HTML attachments?
– Effective email protection detects malicious HTML attachments and can block them. As described, these are not always easy to detect, so powerful solutions include machine learning and static code analysis that checks the content of an email, not just its attachment. – Employee education and awareness to identify and report potentially malicious HTML attachments. Given the scope and variety of these types of attacks, it is advised to always be cautious of all HTML attachments, especially those that originate from unknown sources. Credentials must never be shared with third parties. – Multifactor authentication (MFA) is still a good access control. Nonetheless, criminals are increasingly using advanced social engineering techniques, such as relying on employee MFA fatigue. Zero-trust access measures enhance security. An effective zero-trust solution dynamically monitors multiple parameters: User, device, location, time, resources and others being accessed. This makes it much more difficult for attackers to compromise the network with stolen credentials. – If a malicious HTML file does get through, remediation tools should be in place to quickly identify and remove malicious emails from all users‘ inboxes. Automated incident response can help do this before the attack spreads throughout an organization. In addition, account takeover protection can monitor suspicious account activity and warn when credentials are compromised.
Adequate cybersecurity is fundamental in light of the increasing number of HTML attacks. However, a layered approach of security tools and employee education helps organizations effectively defend against this threat. |
Dr. Jakob Jung ist Chefredakteur Security Storage und Channel Germany. Er ist seit mehr als 20 Jahren im IT-Journalismus tätig. Zu seinen beruflichen Stationen gehören Computer Reseller News, Heise Resale, Informationweek, Techtarget (Storage und Datacenter) sowie ChannelBiz. Darüber hinaus ist er für zahlreiche IT-Publikationen freiberuflich tätig, darunter Computerwoche, Channelpartner, IT-Business, Storage-Insider und ZDnet. Seine Themenschwerpunkte sind Channel, Storage, Security, Datacenter, ERP und CRM.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Kontakt – Contact via Mail: jakob.jung@security-storage-und-channel-germany.de
Dr. Klaus Gheri’s post highlights the rising threat of malicious HTML attachments, with their incidence more than doubling in the past year. These attachments are increasingly used to redirect users to phishing sites or embed sophisticated malware. To combat this, Gheri recommends robust email protection solutions, employee training, and implementing multifactor authentication (MFA) and zero-trust access measures. His insights underscore the need for vigilant, multi-layered security strategies to protect against these evolving threats.
Here are also some of the great learning platforms for your better understanding:
1.https://www.w3schools.com/html/
2.https://www.w3schools.com/css/
3.https://iqratechnology.com/academy/