Cybercriminals are always looking for new ways to help their phishing attempts get past antivirus engines and attaching HTML documents to an email is an increasingly common technique used to do so.
Instead of inserting links to a phishing page in the body of an email where they’ll likely be found by email filters, malicious HTML attachments make it easier to camouflage phishing content.
According to Kaspersky, there are two main types of HTML attachments used by cybercriminals: HTML files with a link to a fake website or a full-fledged phishing page. The first type allows an attacker to hide a link in the attached file as well as to automatically redirect a potential victim to a fraudulent site while the second type of HTML attachment allows an attacker to skip creating a fake website while saving on web hosting costs.
Malicious HTML attachments are a growing threat and in the first four months of this year alone, Kaspersky detected nearly 2 million emails that contained them.
FYI: Planning your next big summer trip? Watch out for these scams.
Hiding phishing pages in attachments
The phishing content found in HTML attachments is usually written in JavaScript in order to handle redirecting users to phishing sites or to harvest their credentials. Typically the HTML page sends data to a malicious URL that is specified in the script itself. However, if an attachment contains malicious scripts or links in plaintext, antivirus and other security software can block it — that's why cybercriminals use JavaScript obfuscation instead.
This technique involves moving code around in such a way that it’s difficult to read and make sense of. While some cybercriminals do this manually to make the original code harder to restore, others rely on any number of ready-made tools to do so.
Another tactic used to hide phishing content in email attachments is encoding or compressing their code so that it appears much smaller than it really is. In one recent instance, Kaspersky came across an email with a malicious HTML attachment that contained a full-fledged phishing page encoded in a tiny, two-line script.
How to spot a phishing site or email
Phishing sites come in all shapes and sizes but they are often designed in such a way that they mimic legitimate web pages so that users don’t think twice when entering their credentials. Even if a cybercriminal makes an almost identical copy of a business’ webpage, looking for spelling errors on the page itself or checking its URL in your browser’s address bar can be a dead giveaway that it’s a fake site.
To avoid having the credentials to your online accounts stolen by cybercriminals, you should always head to a business’ login page via its website or through a search engine as opposed to through your email. This way you’ll know that you’re going to the actual site instead of to a fake one impersonating a brand or business.
When it comes to phishing emails, you should always avoid opening emails from unknown senders. Another trick cybercriminals use to lure you in is instilling a sense of urgency in their messages. Businesses and even the government will rarely if ever ask you to respond to one of their messages in a timely manner. At the same time, it’s worth noting that certain government organizations like the IRS will never contact you by email and any problems with your taxes will be communicated to you via the mail instead.
To avoid falling victim to phishing scams, you should avoid opening emails from unknown senders and this also holds true for any attachments they contain. Although Word files, PDFs and other office documents are commonly attached to emails, very few people send over websites as HTML attachments and if you see an email with one in your inbox, you can be almost certain it’s a phishing email.
As phishing is often used to steal the credentials to commit fraud or even identity theft, you can use a password manager to securely store your passwords and even generate strong and complex passwords for each of your accounts to make them harder to crack or guess.
