A clever phishing campaign has been spotted that bundles the scam’s landing page in the HTML attachment rather than redirecting users to another site that asks them to log in.
A typical credential-stealing phishing scam consists of an email where the attacker tries to convince the user to click a link in order to retrieve a document or prevent something from happening. These links will then bring the user to a web site, or landing page, that includes a login form where the user must enter their login credentials to proceed.
With this type of attack, users can either detect the scam by the contents of the email, by a suspicious remote site and landing page, or by alerts from security solutions.
Let’s show login form locally instead
To prevent users from becoming suspicious when they are redirected to a site with a strange domain or URL, a clever scammer decided to generate the phishing scam directly in the user’s browser without going to a remote site.
This new method was noticed by ISC Handler Jan Kopriva, who stated that they received a generic phishing email stating “Please find attached a copy of your payment notification” and containing an HTML attachment named ‘payment.html’.
This generated form also includes a variety of methods that users can log in to the site, including Gmail, Office365, Yahoo, Hotmail, and Yahoo.
At this point, though, it doesn’t matter if the remote site is blocked or deemed suspicious as the attacker has already received the stolen credentials.
As you can see, by generating the login form locally, rather than using a remote site, the attacker does not have to generate realistic-looking domain names and URLs to host their login forms.
Furthermore, by generating the landing page locally, they reduce the risk that their landing page will be discovered and removed.
This is just another tactic that email users will need to be aware of to protect themselves from becoming a victim of a phishing scam.