In the ongoing game of cops-and-robbers that network security so often involves, the cops have recently upped the ante on phishing detection in modern Web browsers. These days browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox have become more adept at catching phishing attempts at work, and warning users that they might be subect to attack. This has put the onus on attackers to figure some way around such detection. Human ingenuity being what it is (ingenious and persevering), attackers have come up with a clever new ploy that avoids this type of detection as reported on March 15 on the M86 Security Labs website (see "Phishing Scam in an HTML Attachment" for screencaps and more technical details).
The essence of the attack hangs on the inclusion of an HTML file inside spam email messages. This avoids the need for HTML commands to jump to the phishing site, thereby bypassing the phishing checks built into modern Web browsers. If there is no check performed, the browser can't block access to the site, either. Instead a spoofed PayPal submission form appears inside the email software complete with all the account information and a submit button. When that button is clicked, the page issues an HTML request that doesn't get checked in the browser, and the scam is back on. A PHP script on a hacked or malicious Web server extracts the account info, then redirects the browser to PayPal's home page, and browsers detect no signs of malicious activity and issue no warnings.
Bottom line: users must be wary of HTML attachments in e-mail. If they will only stop to remember that reputable companies do not solicit account information via e-mail, and that providing account information to any Web page that the user does not proactively open on their own (NOT from any provided link or button), phishing still cannot succeed. Share this with your users, with this admonition: "Read and heed, or get your credentials stolen!"
Stu Sjouwerman
KnowBe4
The essence of the attack hangs on the inclusion of an HTML file inside spam email messages. This avoids the need for HTML commands to jump to the phishing site, thereby bypassing the phishing checks built into modern Web browsers. If there is no check performed, the browser can't block access to the site, either. Instead a spoofed PayPal submission form appears inside the email software complete with all the account information and a submit button. When that button is clicked, the page issues an HTML request that doesn't get checked in the browser, and the scam is back on. A PHP script on a hacked or malicious Web server extracts the account info, then redirects the browser to PayPal's home page, and browsers detect no signs of malicious activity and issue no warnings.
Bottom line: users must be wary of HTML attachments in e-mail. If they will only stop to remember that reputable companies do not solicit account information via e-mail, and that providing account information to any Web page that the user does not proactively open on their own (NOT from any provided link or button), phishing still cannot succeed. Share this with your users, with this admonition: "Read and heed, or get your credentials stolen!"
Stu Sjouwerman
KnowBe4
