Self-contained phisher includes fake web page - no need to redirect to new site

News by Rene Millman

To avoid the need to get victims to click onto a new website, a new attack phishing landing page is attached as HTML file with hidden JavaScript.

Security researchers have warned of a recently discovered phishing campaign which uses a cunning way to avoid creating and operating landing pages to deceive users and steal their credentials.
According to ISC security researcher Jan Kopriva, hackers have instead attached an html file with the email so that the landing page is generated directly by the browser on the recipient's computer. Normally, phishing email steal credentials by making a victim click on a link which leads to a phishing website that looks like a login page for some valid service.
In this campaign, the email looked like a traditional payment notice phishing with a fairly usual text. The emails also had an HTML attachment. Kopriva said that when HTML attachments are used in a credentials-stealing phishing, the HTML code usually either redirects the browser to a fake login page, or it directly loads the fake login page from a source on the internet.
"This HTML page turned out not to do either of those," he said in a blog post. Kopriva added that within the HTML code were 4735 empty lines followed by a lot of obfuscated JavaScript along with several legitimate and only Base64-encoded JavaScript libraries.
"Since the JavaScript was over 600k characters long (not counting the legitimate libraries), manual de-obfuscation and analysis of the code was not a realistic option," he said.
The researcher then looked at the website in a browser. After opening the file in Chrome in a VM, it became obvious why the script was so large. Unlike most other HTML-based phishing attachments, this one didn’t depend on an external fake login page, but carried the entire thing inside its body.
The page was supposed to look like a Microsoft site, the scammers provided a list of multiple valid email providers one could use to "log in".
While the page appears to contact the relevant email server, it is in fact sending a HTTP GET request containing credentials specified by the user to a remote web server at hxxp://7l748.l748393.96.lt/. It also asks for a phone number and a recovery email. The victim is the directed a low-quality picture of the supposed invoice.
Kopriva said that the only unusual part of this phishing remains the fact the entire phishing page is delivered as an attachment. 
"My suspicion is that this was intended to bypass security filters and analytics on web proxies (or provided by SafeLinks), but whatever the reason was, the idea is quite intriguing," he added.
Joan Pepin, chief security officer at Auth0, told SC Media UK that phishing attacks have become more sophisticated and creative, but still rely on tricking people into divulging confidential information by impersonating familiar domains. 
 
"To be clear, no company that has users with email addresses is impervious to phishing scams, but password methods of authentication especially expose users to these types of "social engineering" attacks. Single Sign-On, Multifactor Authentication, and Passwordless are all security measures companies should consider to help prevent credential harvesting via phishing," she said.
 
"Security awareness training is also critical. Employees are often the weakest link in a cyber-security strategy, and even if your company is doing everything right from a technology perspective, employees can still make mistakes. Having a dedicated CISO with a voice in the boardroom, and trainings specifically designed to teach employees to spot phishing attempts can go a long way in reducing your exposure to a data breach."
Corin Imai, senior security advisor at DomainTools, told SC Media UK that many organisations find it useful to flag emails coming from an external server by applying a simplified yellow banner at the top of the message: it is a simple yet effective way to warn users of a potential risk. 
"Another effective preventive measure could be putting in place a system where employees can easily ask the security/IT team to check whether a suspicious email is in fact malicious – Microsoft even offers the option of integrating a ‘report phishing’ button on Outlook," she said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews