| Back in the days when Windows 98 was the | | | | message is lower in comparison to seeing an |
| latest Microsoft operating system, HTML email | | | | exact replica of their bank's website requesting |
| messages accounted for a large number of | | | | their personal details. |
| infected Windows-based systems. Surprisingly, | | | | As compared to these attempts some of our |
| things have not changed much nowadays either. | | | | peers make with the purpose to scam people for |
| Accepting and displaying HTML email messages still | | | | their personal information, viruses and worms do |
| pose a great deal of threats for email users, | | | | not use the same techniques. Their goal may be |
| regardless of what operating system they are | | | | infecting the operating system, but the infection |
| using, or if the latter is actually immune to an | | | | mechanism may be hidden behind a special offer |
| attack based on vulnerabilities of other systems. | | | | for a free product, that may actually cost the |
| To illustrate, here are some of the possible | | | | user a lot more than if they had bought a similar |
| threats posed by the use of HMTL messages; | | | | product for real money. |
| including, but not limited to virus or other malware | | | | Another commonly encountered threat consists in |
| infections, which still account for a high degree of | | | | the simple viewing of a HTML message that can |
| risk. | | | | further trigger the delivery of more spam to the |
| Based on HTML email, a malicious person is able | | | | user's mailbox. |
| to perform different scams and phishing attacks. | | | | How is that possible? You may ask. For instance, |
| These types of attacks consist in fooling the | | | | the spammer sends HTML messages that contain |
| targeted email address user into giving out | | | | a different image filename link in each of the sent |
| personal information such as: name, address, email | | | | out messages. He also has an association |
| address, personal bank account information. Such | | | | between each image filename link and the email |
| attacks involve impersonating a legitimate website | | | | address that the message is sent to. When the |
| to which the user may have previously registered | | | | message is displayed on the user's computer, if |
| and created an account. | | | | HTML viewing is enabled, the respective image file |
| Some scammers may go as far as impersonating | | | | will be automatically requested from the |
| banks or other financial institutions such as PayPal, | | | | spammer's server. |
| in order to obtain credit card information or other | | | | At this point, the spammer knows that the |
| personal details that can later be used to purchase | | | | message has been viewed on a computer and, |
| goods, or even to empty a bank account. Many | | | | based on the requested filename and using the |
| bank account frauds are made this way. As a | | | | association created, he now knows that the |
| countermeasure, if HTML emails are filtered at | | | | respective e-email address is in use. As a result, |
| server level in a way that causes only text to be | | | | the spammer has found an active email user that |
| displayed such fraud attempts can be blocked and | | | | he can convince to buy some of the products he |
| prevented. | | | | advertises for. Another source of income for the |
| Email clients have different approaches to HTML | | | | spammer is selling a database of verified |
| email. Mozilla Thunderbird, for example, does not | | | | addresses, which is even more valuable than a |
| display HTML content by default, as opposed to | | | | database that contains 3 quarters of bouncing |
| Outlook Express which displays HTML content by | | | | addresses. |
| default. This does not mean that scams cannot | | | | This concludes some of the most important |
| be performed using simple text as well, but the | | | | scenarios and consequences of using HTML in an |
| probability for someone to believe a text | | | | email application. |