One type of phishing (https://bytelok.net/dont-take-the-bait-a-lesson-in-phishing) attack that is on the rise is where the actor (hacker) will send an email that appears legitimate, often it will appear to come from a friend or colleague who’s email they have from a list. The idea is to “spoof” or trick you into thinking that the message came from someone you trust so you are inclined to trust the sender and the content of the message.
We all know that .htm or .html attachments are links to a website and therefore think they are harmless. What’s the harm in clicking a link to a website when the worst that can happen is you’re taken to some random website, right? This couldn’t be farther from the truth when the email you receive tells you that your bank account has been frozen, and you need to login to reactive the account…
You click the link, and it appears to be a legitimate website because it looks just like the bank’s website you pay your bills from (see below).
You might receive a link to this website in the form of an .htm (.html) attachment or a link embedded in the email which directs you to a website that looks like your banking website. However, for this attack to work, the website must look the same as the bank’s website, and you must enter your banking credentials. Most often we visit a website and assume that if it looks like the same site we frequently visit, it is legitimate. That’s our brain comparing the image in our mind with the website in front of us; the pictures look the same and the text appears to be the same, so it must be okay. But if we took another second or two in order to look at the website URL, in the case of phishing attempt, we would see that the website address has td.com but the complete URL might look like www.td.com.phishing-attempt.com. As internet users are becoming savvier, the hackers and phishers have had to develop more complex tactics such as obfuscation (like a smokescreen) of JavaScript code within the .htm files.
Recently, a client of ours received an email which looked legitimate and appeared to come from their client which contained an .htm attachment. When we examined the contents of the file, we realized that hidden within the gibberish of the file was a hidden website link and JavaScript with the intent of downloading code to their computer to launch an attack locally. Other examples are less complex, and the email address of the intended victim is “hard coded”, when you click the link, your email address is already inserted in the login page giving the appearance of a legitimate website. With free tools available online, hackers and phishers can hide their code and even hide a phishing website behind a real domain to make it even more likely that the target would click the link.
We advise our clients that if they unexpectedly receive an email containing links or attachments, to contact the sender before opening any attachments or clicking any links as they have the potential to be malicious and dangerous.