Phishing attack targeting financial organisations using SHTML file attachments

Phishing attack targeting financial organisations using SHTML file attachments

Phishing attack targeting financial organisations using SHTML file attachments

Security researchers recently detected and blocked a sophisticated phishing campaign targeting financial institutions that involved the use of SHTML file attachments (server-parsed HTML) and JavaScript for obfuscating a malicious URL by online fraudsters.
Researchers at Mimecast noted that the use of SHTML file attachments in phishing emails is a unique phenomenon and has been observed on very rare occasions. An SHTML file is one that allows a server to look into the contents of a file and modify a file with standard headers, footers, dynamic information, and other information, thereby making web pages more dynamic.
Researchers who observed and analysed the phishing attack found that the SHTML file attachments included in phishing emails contained JavaScript that helped obfuscate a malicious URL. When a user clicked on such an attachment, the user was redirected to a malicious site that asked them to provide sensitive information.
The phishing attack involving the use of SHTML file attachments originated in the UK and while 55 percent of emails that were part of this campaign were distributed in the UK, another 31 percent of such emails were distributed in Australia. A very small number of such emails also targeted organisations in the financial and accounting sectors in South Africa and other countries.
After observing the presence of this phishing campaign, the Mimecast gateway was updated with an advanced custom rule that directly identified the SHTML construction. This way, Mimecast has been able to prevent phishing emails containing malicious SHTML file attachments from reaching more than 100,000 individual users at financial organisations since April this year.
"This seemingly-innocent attachment redirecting unsuspecting users to a malicious site might not be a particularly sophisticated technique, but it does present businesses with a big lesson. Simple still works. That’s a huge challenge for organisations trying their best to keep their systems secure," says Tomasz Kojm, senior engineering manager at Mimecast.
He adds that businesses should firstly put the right technologies in place to take care of known threats and reduce the number of threats that reach their employees. Secondly, businesses should proactively train their employees to spot malicious emails and the exercise needs to be regular and engaging.
According to Mimecast, 91% of all cyberattacks originate via email and it only takes a momentary lapse in user vigilance for a scam to wreak havoc. Many phishing emails use images in place of written text to evade mail filters, or code obfuscation techniques to prevent detection by security software.
Malicious actors who deploy phishing tactics to obtain sensitive information or to steal money also take advantage of employees' natural emotional reactions such as curiosity, fear, and urgency to lure them into taking urgent actions.
"Phishing is not going away any time soon, so you need to ensure your employees can act as a final line of defence against these threats. Not sure if an email is legitimate? Know that a human that needs your feedback will follow up via a different route. If in doubt, follow the basic rule to ignore, delete and report," Kojm adds.
ALSO READ: Five uncomfortable truths about phishing defence

Copyright Lyonsdown Limited 2021

Top Articles

300% increase in global cyber attacks

According to NTT's Global Threat Intelligence Report, there has been a 300% increase in cyber attacks globally Manufacturing, healthcare and finance industries all saw an increase in attacks globally (300%,…

US pipeline giant Colonial Pipeline suffers disruptive DarkSide ransomware attack

Colonial Pipeline suffered a DarkSide ransomware attack late last week that forced it to shut all pipeline operations.

NCSC's Active Cyber Defence programme helped sink 70k online scams in 2020

NCSC's Active Cyber Defence programme, which includes the Suspicious Email Reporting Service, helped in taking down over 70,000 online scams totalling 1.4 million URLs last year.

Related Articles