Out-of-the-blue empty emails bring redirecting malware danger

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Have you received an email out of the blue with no message body, but with a file called

<random number>_inv.html

attached?

Well, be on your guard – as you could be in the firing line for a new malware attack that has been widely spammed out around the world.

Sign up to our free newsletter.
Security news, advice, and tips.

Here is just a small snapshot of the different subject lines we’ve intercepted at our global network of spam traps:

Examples of redirecting malware attack in Sophos's spam traps

If you make the mistake of opening the attached HTML file your computer will be redirected to a fake anti-virus attack on a third party site. That means that you will begin to see bogus security warnings trying to trick you into handing over your credit card details, or to download further dangerous software to your computer.

Sophos’s products don’t have any problem intercepting the messages above as spam (and we’ll be detecting the attachment as Troj/JSRedir-CO shortly), as well as intercepting the webpage that the attack attempts to connect with and blocking the fake anti-virus which hides here.

But although our customers are protected – there’s still a challenge.

And that challenge is – how do we warn the public about attacks like this?

The email address that the malware is sent from changes each time, the subjects appear to be pretty randomly chosen – even the attached filename has a random component. And the message body is no use to us, from the awareness point of view, as there’s nothing to see.

This isn’t like the old days of worms like “Anna Kournikova” and “The Love Bug” which could be very easily described in terms that the average chap in the street would understand, so they would know what to look out for.

All we have is “look out for empty emails with an attachment which might end with _inv.html”

Ask yourself this – are your colleagues likely to find that memorable?

It’s a good job that security software don’t find it as hard as Joe Public to tell what’s a legitimate email, and which ones carry a malware danger.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.