What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
Super-fast S3 Express storage.
New Graviton 4 processor instances.
Emily Freeman leaving AWS.
I don't use AWS, so none of this will affect me.
Science / Security

Another Day, Another Phishing Attack

There's a new, "exciting" way to use HTML files to phish users.
Apr 10th, 2023 9:42am by
Featued image for: Another Day, Another Phishing Attack

It used to be so easy. Never, ever open a DOC of an XLS file from someone you don’t know. Ah well, those simple, early days of phishing are long gone. Mind you, people still fall for those attacks, but now phishing attacks have a new, novel way of getting on your PCs. Perception Point’s Incident Response team has discovered a new way to phish using HTML files to conceal malicious scripts.

Now using HTML as a vector isn’t new. Cyber crooks have been using HTML pages incorporated into phishing emails to bypass antivirus software and anti-spam technologies for some time now. Generally speaking, these work by using HTML files to redirect users to harmful websites, download files, or display phishing forms locally within the browser.

This works because security software often overlooks e-mailed HTML attachments. That’s so wrong! More recently, instead of using links to direct victims to fake cloud or bank login pages, hackers now entice users to download a fake login page. Thus, when a user downloads and opens an HTML attachment in their browser, the webpage is hosted on their device. With this, there’s no need for a public URL. With no URL pointing to it, this approach only frees the attacker from maintaining a phishing page on a compromised site and helps them bypass strict HTML constraints placed on email bodies.

Those attacks have been around for a while now. But the one Perception Point’s researchers found is designed to evade advanced detection. When security systems scan the HTML attachment, they only see a “harmless” Base64 encoded object. However, when decoded, the object leads to an SVG file, which is also encoded as a URL. Behind that, a second decoding reveals an obfuscated script intended for credential theft.

How It Works

The phishing page with the credential theft form is only visible within the browser. Here’s how it works:

  1. The attacker sends a phishing email with an HTML attachment, prompting the user to click on the attachment under the guise of an urgent payment.
  2. Upon opening the HTML file, the user is redirected to a spoofed Microsoft login page, where they are expected to enter their credentials and fall victim to the phishing scam.

Perception Point would like to remind you that it’s an e-mail security company, and it can help you block this kind of attack with its Perception Point’s Advanced Email Security Solution. They’re not wrong. The attack they found is a tricky way of getting around the defenses. And, let’s face it, I can see this one successfully attacking even wary Windows users. It’s a sneaky little thing.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.