Gmail will block JavaScript attachments from February

Earlier this month Gmail users were warned about huge phishing attack[1] which was aimed to steal usernames and passwords. It seems that a success of this attack was the last straw for Google. Recently, it declared a war towards cyber crimes[2] and took 1 billion[3] users’ safety to the next level by banning possibility to send JavaScript files on Gmail. From the 13th of February the only option to send .JS files via Gmail is to upload them to the Google Drive (or other cloud storage) first, and only then send a link. Malware developers have been spreading malicious spam emails with obfuscated JavaScript files for two years, but fortunately, their good days are over. There’s no doubt that this new restriction has a huge impact in fighting ransomware.

Gmail will block JavaScript attachments from February

During the past years, the amount of ransomware and malware attacks was rapidly growing, and malicious spam emails were the main distribution channel. No matter how much cybersecurity experts talk about the necessity to double-check the information before opening email attachments, hundreds of thousands of users were tricked by the hackers and lost their personal files to ransomware viruses. For example, sending obfuscated JavaScript files via emails gained the infamous Locky ransomware a huge success and caused damage for many computer users.

In order to prevent virus distribution, at the moment Gmail users cannot attach and send these file types neither directly nor in the archive: .ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH, .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, .WSH[4]. In two weeks’ time this list will be expanded by .JS file as well. Gmail does not allow sending documents with malicious macros, password-protected archives or archives including previously mentioned files.

Nevertheless, Google is going to protect users from malicious emails; you should still be careful with your inbox. Hackers and crooks have many other ways how to trick users, infect computers and swindle the money. Before opening safe-looking email attachments, clicking on links or providing some personal details, always make sure that you can actually trust the sender. Lack of credentials, grammar or spelling mistakes, and other small details help to recognize malicious emails[5] and protect yourself.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions