Crime Files Network

Phishers use new bait to trap victims

By Elinor Mills, on March 17th, 2011To get around phishing blacklists in browsers, scammers are luring people by using HTML attachments instead of URLs, a security firm has warned.

HTML phishing scamAn example of a phishing attack encouraging the recipient to download an HTML attachment and provide information. Note the poor grammar, “required informations”, which should be a red flag. (Credit: M86) 

Chrome and Firefox are good at detecting phishing sites and warning web surfers via a browser notice when they are about to visit a site that looks dangerous. So good, in fact, that scammers are resorting to a new tactic to lure victims into their traps via emails — attaching HTML files that are stored locally when they are opened, according to an M86 blog post.

After the user fills in a form with the information the scammers want to steal and clicks “submit”, the HTML form sends the data through a POST request to a PHP (Hypertext Preprocessor) script hosted on a legitimate web server that has been compromised. (POST is used when a computer is sending data over the internet to a web server.) Because few PHP URLs are reported as abuse, this action does not trigger a warning from the browser, M86 said.

“Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective,” the blog post said. “Logically, however, the browser should be able to detect a URL when the browser sends the POST request.”

The phishing URLs alone without the HTML form are hard to verify because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting to a page belonging to the company the scammer was pretending to be, the post said.

To protect against this, people should avoid opening HTML attachments if the email seems suspicious and not provide any information in forms. Financial institutions do not send such attachments to customers.

While many people will click on a link in an email that looks like it comes from their bank, fewer are likely to open the HTML attachment.

Mozilla representatives did not provide comment on the report today. Meanwhile, Google provided this comment: “Google has a number of defences against phishing sites to help protect our users. For example, Gmail checks HTML attachments for phishing sites and displays a warning to users when one is detected. We always encourage users to be cautious when handling unexpected attachments and when providing personal information requested by email.”

Via CNET  

Add A Comment


Subscribe to Crime Files Network