| Back in the days when Windows 98 was the | | | | comparison to seeing an exact replica of |
| latest Microsoft operating system, HTML email | | | | their bank's website requesting their |
| messages accounted for a large number of | | | | personal details. |
| infected Windows-based systems. Surprisingly, | | | | |
| things have not changed much nowadays either. | | | | As compared to these attempts some of our |
| Accepting and displaying HTML email messages | | | | peers make with the purpose to scam people |
| still pose a great deal of threats for email | | | | for their personal information, viruses and |
| users, regardless of what operating system | | | | worms do not use the same techniques. Their |
| they are using, or if the latter is actually | | | | goal may be infecting the operating system, |
| immune to an attack based on vulnerabilities | | | | but the infection mechanism may be hidden |
| of other systems. | | | | behind a special offer for a free product, |
| | | | that may actually cost the user a lot more |
| To illustrate, here are some of the possible | | | | than if they had bought a similar product for |
| threats posed by the use of HMTL messages; | | | | real money. |
| including, but not limited to virus or other | | | | |
| malware infections, which still account for a | | | | Another commonly encountered threat consists |
| high degree of risk. | | | | in the simple viewing of a HTML message that |
| | | | can further trigger the delivery of more spam |
| Based on HTML email, a malicious person is | | | | to the user's mailbox. |
| able to perform different scams and phishing | | | | |
| attacks. These types of attacks consist in | | | | How is that possible? You may ask. For |
| fooling the targeted email address user into | | | | instance, the spammer sends HTML messages |
| giving out personal information such as: | | | | that contain a different image filename link |
| name, address, email address, personal bank | | | | in each of the sent out messages. He also has |
| account information. Such attacks involve | | | | an association between each image filename |
| impersonating a legitimate website to which | | | | link and the email address that the message |
| the user may have previously registered and | | | | is sent to. When the message is displayed on |
| created an account. | | | | the user's computer, if HTML viewing is |
| | | | enabled, the respective image file will be |
| Some scammers may go as far as impersonating | | | | automatically requested from the spammer's |
| banks or other financial institutions such as | | | | server. |
| PayPal, in order to obtain credit card | | | | |
| information or other personal details that | | | | At this point, the spammer knows that the |
| can later be used to purchase goods, or even | | | | message has been viewed on a computer and, |
| to empty a bank account. Many bank account | | | | based on the requested filename and using the |
| frauds are made this way. As a | | | | association created, he now knows that the |
| countermeasure, if HTML emails are filtered | | | | respective e-email address is in use. As a |
| at server level in a way that causes only | | | | result, the spammer has found an active email |
| text to be displayed such fraud attempts can | | | | user that he can convince to buy some of the |
| be blocked and prevented. | | | | products he advertises for. Another source of |
| | | | income for the spammer is selling a database |
| Email clients have different approaches to | | | | of verified addresses, which is even more |
| HTML email. Mozilla Thunderbird, for example, | | | | valuable than a database that contains 3 |
| does not display HTML content by default, as | | | | quarters of bouncing addresses. |
| opposed to Outlook Express which displays | | | | |
| HTML content by default. This does not mean | | | | This concludes some of the most important |
| that scams cannot be performed using simple | | | | scenarios and consequences of using HTML in |
| text as well, but the probability for someone | | | | an email application. |
| to believe a text message is lower in | | | | |