Mal/HTMLGen

Mal/HTMLGen indicates that Sophos has blocked access to a malicious webpage.

Malicious webpages can be one of many kinds of webpages built to harm systems and devices, steal information, or give an attacker control over the system and its information.

Malicious webpages are often used in conjunction with spam email attacks that contain links to the malicious webpage. Attackers will use social engineering and forgery tactics to convince users the links are trustworthy and convince them to click on the links, taking them to the malicious webpage. Another tactic attackers will use to get malicious webpages in front of potential victims is rogue search engine optimization (SEO), in which the attackers take specific steps to fool search engines into believing their malicious webpages are not only legitimate but more desirable to users than legitimate webpages.

Malicious webpages are often hosted on sites with addresses that are similar to legitimate, trusted ones. One tactic attackers use to make malicious sites look legitimate is called “typosquatting”: Using numbers to replace letters (like zeros for “o”s), deliberate misspellings (like “Sopos” instead of “Sophos”), or other ways to make incorrect addresses look legitimate. Another attacker tactic is to have the legitimate, recognized name visible somewhere in the address but not actually be the domain name used (like “www.sophos.badguysite.com” instead of “www.sophos.com”).

Common types of malicious webpages include:

• Malware-Hosting Pages: Pages that attempt to load malware on the user’s system. This category can include pages that try to use vulnerabilities to automatically download malware (sometimes called “drive-by attacks”) and those that try to use social engineering to convince users to download and install the malware themselves. One common social engineering tactic is to make fake web pages that imitate legitimate ones and convince users to visit the site (often through spam campaigns that include malicious links) and download what they believe is legitimate software but in fact is malware.
• Phishing Pages: Pages that attempt to steal personal and/or financial information from a user when the user visits the page. The best-known examples of these are sites that attempt to steal users’ account information (usernames and passwords) for specific sites by imitating (“spoofing”) those sites. One of the most common varieties of malicious webpages spoofs financial sites and tries to steal the users’ account information which attackers will then use to steal money from the user. Another common variety of malicious webpage attempts to steal account information, which attackers will then use to impersonate the user on the site. Frequently this is done in attempts to take over online accounts such as streaming accounts, or important personal sites like email sites that can be used for additional attacks like identity theft. In some cases, the phishing page will redirect to the legitimate organization’s website afterwards, to hide the fact that information has been stolen.

The following text explains some different possible types of detection.

• Mal/HTMLGen-A – The web page has been classified as malicious by SophosLabs' reputation data. Any specific malicious content found will be detected with a separate detection name. Web pages blocked by Sophos products as Mal/HTMLGen-A are likely to be present in an infection chain aimed at downloading and executing malware on a user's machine.  
  Note: Mal/HTMLGen-A is not detection of a malware payload on an infected machine. Instead it indicates a Sophos product is blocking access to a remote website we believe to be either malicious (a site whose sole purpose is to infect users with malware) or compromised (a legitimate site, but one that has been hacked in order to infect or redirect users).

A detection of Mal/HTMLGen-A indicates that access to a web page has been blocked by Sophos Live URL filtering. If you believe the detection to be in error, please submit a Reassessment Request to have the page’s reputation re-evaluated.