Kaspersky experts warn of the growing threat of phishing emails with HTML files [1]. From January to April 2022, Kaspersky blocked almost two million phishing emails with such attachments. Using HTML files in phishing messages is one of the latest and most popular tricks used by scammers.
Usually, such links are easily detected by anti-spam engines or anti-virus software, however, using HTML attachments has allowed cyber criminals to avoid detection.
Approaches of HTML phishing
Many users are unaware that files in phishing emails can be unsafe, so they often open malicious HTML attachments unsuspectingly. Cyber criminals design these HTML attachments to look like official company website pages. They target users of these official sites and copy their style, images, scripts, and other multimedia components to trick victims into entering sensitive data into the phishing form.
There are two main types of HTML attachments used by cyber criminals: HTML files containing a phishing link or entire malicious webpages. In the first case, the attackers send an HTML file containing text that supposedly contains important data, such as a bank notification of a large transfer attempt. The user is prompted to click a link to the bank's website to stop the transaction, but is instead directed to a phishing site. In some cases, the victim doesn't even have to click the link. When the user tries to open the HTML attachment, they are automatically redirected to a malicious website. This page asks victims to fill out a data-entry form to verify business-related files, protect their bank account, or even receive a government payment. Only later does the victim find out that his personal data and bank details have been stolen.
Entire phishing pages as email attachments
The second type of HTML attachments are entire phishing pages. These files allow cyber criminals to save on hosting fees and avoid websites as phishing form and data collection script are fully attached as an attachment. As a phishing site, the HTML file can also be personalized depending on the target and attack vector used to gain the victim's trust. For example, a scammer could send a phishing email to company employees that appears to be a request to review a contract, but is actually a malicious HTML file. Such attachments show all the visual attributes of the company: logo, CI and even the name of the boss as the sender. The file prompts the victim to enter their company account login credentials to access the document. This data then falls directly into the hands of the cyber criminals, who can use this information to break into the corporate network.
Cyber criminals use new tactics to phishing success
Since modern security solutions can already block emails containing HTML attachments with malicious scripts or phishing links in plain text, cybercriminals are now using other tactics to avoid blocking. Scammers often distort the phishing link or the entire HTML file with obscure or unusable code. Although this junk code and disjointed text do not appear on the user's screen, they make it difficult for anti-spam engines to detect and then block the email.
Disguised requests for credentials
"Cybercriminals use cleverly disguised requests for credentials to trick unsuspecting victims into entering their usernames and passwords," said Roman Dedenok, security researcher at Kaspersky. “We block millions of phishing sites every year and we expect that number to grow. Cyber criminals have created a complex and advanced infrastructure that allows even inexperienced scammers to create thousands of phishing pages using ready-made templates [2], thus reaching a wide range of users. Now that any amateur is able to create their own phishing site, extra care must be taken when opening links from an email or messaging service.”
Kaspersky tips to protect against phishing attacks
- Before clicking any links, each of them should be checked carefully. Hovering the mouse pointer over the link will give you a preview of the URL and the ability to check for spelling mistakes or other irregularities.
- Username and password should only be entered over a secure connection. In addition, pay attention to the HTTPS prefix in front of the URL of the website. This indicates whether the connection to the website is secure.
- Even if a message or letter appears to be from a best friend, their account may have been hacked. Therefore, users should exercise caution in all situations and check all links and attachments, even if they seem to come from a trustworthy source.
- Special attention should be paid to messages that appear to come from official organizations such as banks, tax authorities, online shops, travel agencies, airlines. Even internal messages from your own company should be treated with caution. It's not difficult for criminals to fabricate a fake email that looks legitimate.
- It should be avoided to open unexpected files sent by online gaming friends or other online friends. They can contain ransomware or even spyware, as well as attachments from official-looking emails.
- Employees should be offered basic cyber security training, such as Kaspersky Security Awareness [3]. Exercises using simulated phishing attacks ensure staff know how to distinguish phishing emails from genuine emails.
- Use a protection solution for endpoints and mail servers with anti-phishing functions, such as Kaspersky Endpoint Security for Business [4], to reduce the risk of infection by phishing emails.
- If the Microsoft 365 cloud service is used, it must also be protected. Kaspersky Security for Microsoft Office 365 [5] has dedicated anti-spam and anti-phishing functionality, as well as protection for SharePoint, Teams and OneDrive apps to keep business communications safe.
[1] https://securelist.com/html-attachments-in-phishing-e-mails/106481/
[2] https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/
[3] https://www.kaspersky.de/enterprise-security/security-awareness
[4] https://www.kaspersky.de/enterprise-security/endpoint
[5] https://www.kaspersky.de/enterprise-security/microsoft-office-365