TrendLabs^SM engineers are currently monitoring an in-the-wild attack that highlights the underrated and often-ignored risk of allowing employees to check their personal email accounts at work.

Yesterday, one of our colleagues in Taiwan received an email message that spurred what looks like a targeted attack. Unlike other email-based attacks that require users to open the message and to click an embedded link or to download and execute an attachment, this attack’s execution merely requires users to preview the message in their browsers.

The following is a screenshot of the email inbox’s page:

The message in the email above roughly translates to the following:

Subject: Have you ever logged in Facebook from unknown location?
Content:

Dear Facebook User,

Your Facebook account is accessed from a computer or device or from a location that you have never used before. For protecting your account security, before you have confirm your account is not hacked, we temporarily locked down your account.

Have you ever logged in Facebook from other place?

If this is not your name, please use your personal computer to login Facebook and follow the instructions to manage your account information.

If this is not your account, please do not worry. Relogin can lead your back to your own account.
For more information, visit our Help Center here: … {link}

Thanks,
Facebook Security Team

Previewing the email message prompts the download of a script from a remote URL. The script is then injected to the page to initiate information theft. The data stolen includes email messages and contact information. More importantly, however, the script also enables email forwarding on affected users’ accounts, which sends all of their messages to a specific address.

The email message seems to have been specially crafted per recipient, as it uses each user’s Hotmail ID in the malicious script that it embeds. Subsequent downloads also use specific Hotmail IDs and a specific number identified by the attacker. Changing the number may change the payload.

Employees who check their personal email accounts at work who are victimized gives the attacker access to sensitive information that may be related to their company, including contacts and confidential messages. Companies should seriously consider the risks that this and similar attacks pose, especially since merely previewing email messages already triggers the malicious script’s execution.

TrendLabs engineers are currently working on a more detailed analysis of this attack. Users are advised to exercise caution when opening their personal email inboxes especially at work since attacks like this may inadvertently compromise sensitive corporate data.

Trend Micro already detects the malicious script as JS_AGENT.SMJ and blocks access to the malicious URL used in this attack. We strongly advise Trend Micro product users to immediately enable the Web reputation feature of their software to avoid being victimized by this and similar attacks. Non-Trend Micro customers can also protect themselves by using a combination of our free tools like Web Protection Add-On and Browser Guard.

Update as of May 25, 2011, 10:24 PM Pacific Time

After further analysis, we’ve found that this attack was done through a vulnerability in Hotmail, which Microsoft has already fixed. Details can be found in our blog entry, Trend Micro Researchers Identify Vulnerability in Hotmail.