drag_to_html_light.png

Cyber experts warn about growing threat of phishing attacks containing HTML files

Kaspersky cyber experts have warned users about the growing threat coming from the increased numbers of phishing emails containing HTML files.

From January to April 2022, Kaspersky researchers blocked nearly two million phishing emails containing HTML attachments.

 

Tricks

Using HTML files in phishing letters is one of the latest and popular tricks abused by fraudsters. Usually, such links are easily detected by anti-spam engines or antivirus software but using HTML attachments has allowed cybercriminals to avoid detection.

Many users aren’t even aware that files in phishing emails can be insecure, so they unsuspectingly open these HTML attachments, which turn out to be dangerous and targeted weapons used by cybercriminals.

Bait

Fraudsters can stylise HTML attachments to make them look identical to the pages on a company’s official website. They target the official website’s users and copy its style, images, scripts and other multimedia components, using it as bait to trick their victims into entering vulnerable data in the phishing form.

 There are two main types of HTML attachments used by cybercriminals: HTML files with a phishing link or entire malicious pages. In the first case, attackers will send an HTML file with text inside, claiming to have important data, such as a bank’s notification about a large transfer attempt.

Link

The user is prompted to click on a link to the bank's site, to stop the transaction, which instead leads to a phishing page. In some cases, the victim doesn’t even have to click the link.

When the user tries to open the HTML attachment, it will automatically redirect them to a malicious site. Once on this page, victims are requested to fill out a data-entry form to review business-related files, protect their bank account or even receive a government payment. It is only later that the victim finds out they’ve had their personal data and bank details stolen.

Attachment

The second type of HTML attachments are entire phishing pages. These files allow cybercriminals to save on hosting fees and avoid using websites because the phishing form and the script used to collect data are fully contained within the attachment.

Used as a phishing site, the HTML file can also be personalised, depending on the intended target and the attack vector used to gain the victim’s trust. For example, a fraudster could distribute a phishing email among the employees of a company, appearing as though it’s asking to verify a contract, but is actually a malicious HTML file. Such attachments will have all the visual attributes of that company: logo, style and even the name of the boss as its sender.

Inside the file, the victim is requested to enter the login and password for their corporate account in order to access the document. This data then falls directly into the hands of the cybercriminal, who can use this information to break into the company's corporate network.

To read the full report, go to: https://securelist.com/html-attachments-in-phishing-e-mails/106481/