Phishing attack targeting financial organisations using SHTML file attachments

Phishing attack targeting financial organisations using SHTML file attachments

Phishing attack targeting financial organisations using SHTML file attachments

Security researchers recently detected and blocked a sophisticated phishing campaign targeting financial institutions that involved the use of SHTML file attachments (server-parsed HTML) and JavaScript for obfuscating a malicious URL by online fraudsters.
Researchers at Mimecast noted that the use of SHTML file attachments in phishing emails is a unique phenomenon and has been observed on very rare occasions. An SHTML file is one that allows a server to look into the contents of a file and modify a file with standard headers, footers, dynamic information, and other information, thereby making web pages more dynamic.
Researchers who observed and analysed the phishing attack found that the SHTML file attachments included in phishing emails contained JavaScript that helped obfuscate a malicious URL. When a user clicked on such an attachment, the user was redirected to a malicious site that asked them to provide sensitive information.
The phishing attack involving the use of SHTML file attachments originated in the UK and while 55 percent of emails that were part of this campaign were distributed in the UK, another 31 percent of such emails were distributed in Australia. A very small number of such emails also targeted organisations in the financial and accounting sectors in South Africa and other countries.
After observing the presence of this phishing campaign, the Mimecast gateway was updated with an advanced custom rule that directly identified the SHTML construction. This way, Mimecast has been able to prevent phishing emails containing malicious SHTML file attachments from reaching more than 100,000 individual users at financial organisations since April this year.
"This seemingly-innocent attachment redirecting unsuspecting users to a malicious site might not be a particularly sophisticated technique, but it does present businesses with a big lesson. Simple still works. That’s a huge challenge for organisations trying their best to keep their systems secure," says Tomasz Kojm, senior engineering manager at Mimecast.
He adds that businesses should firstly put the right technologies in place to take care of known threats and reduce the number of threats that reach their employees. Secondly, businesses should proactively train their employees to spot malicious emails and the exercise needs to be regular and engaging.
According to Mimecast, 91% of all cyberattacks originate via email and it only takes a momentary lapse in user vigilance for a scam to wreak havoc. Many phishing emails use images in place of written text to evade mail filters, or code obfuscation techniques to prevent detection by security software.
Malicious actors who deploy phishing tactics to obtain sensitive information or to steal money also take advantage of employees' natural emotional reactions such as curiosity, fear, and urgency to lure them into taking urgent actions.
"Phishing is not going away any time soon, so you need to ensure your employees can act as a final line of defence against these threats. Not sure if an email is legitimate? Know that a human that needs your feedback will follow up via a different route. If in doubt, follow the basic rule to ignore, delete and report," Kojm adds.
ALSO READ: Five uncomfortable truths about phishing defence

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles