“Please review the attached file”: Using HTML attachments allows phishers to avoid detection
Kaspersky experts warn users about the growing threat coming from the increased numbers of phishing emails containing HTML files. From January to April 2022, Kaspersky researchers blocked nearly 2 million phishing emails containing HTML attachments. Using HTML files in phishing letters is one of the latest and popular tricks abused by fraudsters. Usually, such links are easily detected by anti-spam engines or antivirus software but using HTML attachments has allowed cybercriminals to avoid detection.
Many users aren’t even aware that files in phishing emails can be insecure, so they unsuspectingly open these HTML attachments, which turn out to be dangerous and targeted weapons used by cybercriminals. Fraudsters can stylize HTML attachments to make them look identical to the pages on a company’s official website. They target the official website’s users and copy its style, images, scripts and other multimedia components, using it as bait to trick their victims into entering vulnerable data in the phishing form.
Cybercriminals lure victims into opening malicious HTML attachments, claiming that the file is only safe through this link
There are two main types of HTML attachments used by cybercriminals: HTML files with a phishing link or entire malicious pages. In the first case, attackers will send an HTML file with text inside, claiming to have important data, such as a bank’s notification about a large transfer attempt. The user is prompted to click on a link to the bank’s site, to stop the transaction, which instead leads to a phishing page. In some cases, the victim doesn’t even have to click the link. When the user tries to open the HTML attachment, it will automatically redirect them to a malicious site. Once on this page, victims are requested to fill out a data-entry form to review business-related files, protect their bank account or even receive a government payment. It is only later that the victim finds out they’ve had their personal data and bank details stolen.
The second type of HTML attachments are entire phishing pages. These files allow cybercriminals to save on hosting fees and avoid using websites because the phishing form and the script used to collect data are fully contained within the attachment. Used as a phishing site, the HTML file can also be personalized, depending on the intended target and the attack vector used to gain the victim’s trust. For example, a fraudster could distribute a phishing email among the employees of a company, appearing as though it’s asking to verify a contract, but is actually a malicious HTML file. Such attachments will have all the visual attributes of that company: logo, style and even the name of the boss as its sender. Inside the file, the victim is requested to enter the login and password for their corporate account in order to access the document. This data then falls directly into the hands of the cybercriminal, who can use this information to break into the company’s corporate network.
An example of a phishing page in the HTML attachment
While security solutions can already block emails containing HTML attachments with malicious scripts or phishing links in plain text, cybercriminals are now using different tactics to avoid being blocked. For example, fraudsters often distort the phishing link or the whole HTML file with muddled or garbage code. Although this junk and incoherent text doesn’t appear on the user’s screen, it still makes it harder for anti-spam engines to detect and consequently block the email.
“Cybercriminals use cleverly disguised requests for login credentials to dupe unsuspecting victims into entering their usernames and passwords. Every year we block millions of phishing pages and this number is only expected to grow, meaning users must stay alert and be aware of the danger that these emails can bring. Cybercriminals have created a complex and advanced infrastructure where even novice scammers can create thousands of phishing pages, using ready-made templates, then target a vast range of users. With any amateur now able to create his own phishing page, you have to be particularly careful when opening any links from an email or messaging service”, comments Roman Dedenok, security researcher at Kaspersky.
Read the full report about the phishing HTML attachments on Securelist.
To protect yourself from phishing, Kaspersky recommends:
Сhecking every link before clicking. Hover over it to preview the URL and look out for misspellings or any other irregularities.
Only entering a username and password over a secure connection. Look for the HTTPS prefix before the site URL, indicating the connection to the site is secure.
Remembering that even if a message or a letter appears to come from one of your best friends, their account might have been hacked. Remain cautious in all situations and scrutinize all links and attachments even if they seem to come from a friendly source.
Paying special attention to messages that appear to be from official organizations, such as banks, tax agencies, online shops, travel agencies, airlines and so on. Even internal messages from your own office. It’s not hard for criminals to fabricate a fake letter that looks legitimate.
Avoid opening any unexpected files sent by online gaming friends or other online buddies. They may contain ransomware or even spyware, just like attachments from official-looking e-mails.
Providing your staff with basic cybersecurity hygiene training. Conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails from real ones.
Using a protection solution for endpoints and mail servers with anti-phishing capabilities, such as Kaspersky Endpoint Security for Business, to decrease the chance of infection through phishing emails.
Protecting your Microsoft 365 cloud service, if using it. Kaspersky Security for Microsoft Office 365 has a dedicated anti-spam and anti-phishing function as well as protection for SharePoint, Teams and OneDrive apps to keep business communications secure.