In a traditional phishing scam, a phisher usually sets up a website with a fake login form imitating a legitimate online services such as bank, social networking website, auction site or a payment processing service. In an attempt to lure in users, the phisher spams a link to the website through email or instant messaging. Unfortunately for the phishers, modern browsers like Mozilla Firefox and Google Chrome have become quite good at detecting phishing, immediately warning users when a potential phishing site is being opened.
Mozilla Firefox and Google Chrome warning users of a phishing site.
Phishers, however, have found ways to circumvent this anti-phishing protection by attaching an HTML file to the spam email. This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser. For example, take a look at these spam samples:
Multiple sample of phishing spam campaign with an HTML attachment.
The HTML attachment, stored locally, successfully opens in the browser without the user being warned.
Sample of a phishing HTML form targetting PayPal users. HTML file is saved in the local directory.
When the victims enter their information and click the “Agree and Submit” button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver (in one case, Fritolay.com)
Usually, stolen information are sent to a hack PHP webserver. (note: we notified Fritolay of the offending php file and observe that it has now been removed.)
The phisher’s PHP script then redirects the browser to Paypal’s homepage after successfully submitting stolen information. While the POST request sends information to the phisher’s remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity. Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective. Logically, however, the browser should be able to detect a URL when the browser sends the POST request. So what makes this type of phishing tactic harder to detect from the browser perspective? Here’s a couple of reasons:
1. Few PHP URLs are reported as abuse. Average users are not able to report any URL because no phishing URL is visible, unless they are technical enough to view the HTML source code.
2. The URLs are hard to verify as phishing sites. The URL alone without the accompanying HTML form would be hard to verify as a phish site because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting the browser elsewhere to the target brand’s homepage.
We have seen an increase in these types of phishing spam campaigns over the last few months. Last month we blogged about a clever phishing campaign targeting Bank of America online users that uses this same phishing tactic. So be wary of HTML attachments included in an email. If the email seems suspicious, avoid opening the HTML attachment. And if you do happen to open it, be particularly leery of any HTML form requiring you to enter sensitive information.
