Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

3/17/2011
01:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Phishers Bypass Browser Filters

PayPal, Bank of America, Lloyds phishing emails embedding malicious HTML files

Looks like those anti-phishing filters in your browser are working because attackers are now bypassing them by stuffing HTML files into spam messages so the malicious pages don't get detected: Researchers have detected several cases of phishers passing HTML file attachments off as Bank of America, Lloyds, TSB, and PayPal pages.

And this practice appears to be on the rise, says Satnam Narang, a threat analyst with M86 Security, which has seen an increasing number of these types of phishing messages in its spam traps. "We've seen malicious HTML attachments in spam before that directed to Canadian pharmacies. On more than one occasion, we've seen it with PayPal and Bank of America," Narang says. "But the fact is that these are becoming more common."

Unlike spam emails that try to direct users to a phishing site via a URL, this one is able to bypass the browser's anti-phishing filter and blacklist by locally storing the page. "And once the user inputs his information and sends it off to a PHP script on a legitimate website, it gets redirected to the bad guys, and they get the information," he says. "The user is none the wiser because it redirects [him] to actual sites," such as PayPal, for instance.

Narang blogged yesterday about such an attack using PayPal as the lure by requiring PayPal account verification. Here the PHP file was place on fritolay.com's website; the HTML form sends the pilfered information via a POST request to the PHP script on the hacked fritolay site.

Nitesh Dhanjani, a security expert and senior manager at Ernst & Young, says he hasn't seen local HTML files getting passed around in phishing schemes before. The technique isn't necessarily more sophisticated, but it's effective, he says.

"As always, the target market for the phishers are individuals who aren't technologically savvy. That said, given the amount of complexity involved in merely browsing the Web these days, it's becoming hard to blame the average user for not knowing how to parse URLs, domain names, and attachments to stay safe," he says. "This particular example can bypass browser sandbox models since it is loaded from the local disk. Technically impressive? No. Will it fool a large number of users and get around browser controls? Yes."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12216
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a heap-based buffer overflow in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12217
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c.
CVE-2019-12218
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c.
CVE-2019-12219
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c.
CVE-2019-12220
PUBLISHED: 2019-05-20
An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c.