Wandering Thoughts archives


An email phish attempt using attachment file type confusion

I don't get much spam email in general and I get even less that has malware payloads, so in one sense it's always interesting when one makes it through our various anti-spam measures and I get to actually look at a sample for myself. Today I received what looked like a malware attack using a PDF:

Subject: [...] has sent you a document(s)

File Name: Invoice-38937.pdf
File Size: 44 KB
Please find attached Invoice-38937 for your reference.

I was all ready to start cracking the PDF open with various tools to see what they could tell me, when I actually extracted the attachment and looked at the full filename and file type:

Content-Type: application/octet-stream; name="Invoice-38937.shtml"

The actual attachment was a HTML file that contained a single form that POST'ed off to a website, with a fixed 'Email address' field and a password field for you to fill in. The HTML design was set up to try to look plausible as a PDF that you had to enter a password to see, with a blurred, dark background image that looked sort of like a blurry invoice and an 'Adobe PDF / Sign in to view invoice payment' popup, a page title of 'Adobe ID', and so on.

(The form's POST target was a HTTP URL instead of a HTTPS one, but I think only Firefox warns you about that.)

At one level this is unexceptional and probably unsurprising. At another level, I find it interesting that this sort of attachment file type confusion actually works (or at least I assume it works enough for spammers to keep using it). It wouldn't work in the mail environment I use, where a completely visually different program is run to display a PDF than is run to display a HTML file, but in an 'all in one' environment where the mail client tries to display as much as it can itself (and where browsers display PDFs too), I can see how there might not be clear visible signs that you're not really looking at a PDF.

To me, this also points out a weakness in common mail environments. This file type confusion shouldn't really work; you shouldn't be able to pass off a HTML file as a PDF (although PDFs can contain plenty of dangerous things in their own right). You could also argue that a HTML file opened directly in a mail client shouldn't be allowed to submit any forms, but there are probably people who actually rely on this working for some internal process they do.

(Email attachment file type confusion is routinely exploited by malware to try to, for example, persuade you that an executable is a PDF so you'll click on it.)

spam/PhishViaFiletypeConfusion written at 22:13:32; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.