Phishing attack targeting financial organisations using SHTML file attachments

Phishing attack targeting financial organisations using SHTML file attachments

Threats / Phishing attack targeting financial organisations using SHTML file attachments

Phishing attack targeting financial organisations using SHTML file attachments

Security researchers recently detected and blocked a sophisticated phishing campaign targeting financial institutions that involved the use of SHTML file attachments (server-parsed HTML) and JavaScript for obfuscating a malicious URL by online fraudsters.

Researchers at Mimecast noted that the use of SHTML file attachments in phishing emails is a unique phenomenon and has been observed on very rare occasions. An SHTML file is one that allows a server to look into the contents of a file and modify a file with standard headers, footers, dynamic information, and other information, thereby making web pages more dynamic.

Researchers who observed and analysed the phishing attack found that the SHTML file attachments included in phishing emails contained JavaScript that helped obfuscate a malicious URL. When a user clicked on such an attachment, the user was redirected to a malicious site that asked them to provide sensitive information.

The phishing attack involving the use of SHTML file attachments originated in the UK and while 55 percent of emails that were part of this campaign were distributed in the UK, another 31 percent of such emails were distributed in Australia. A very small number of such emails also targeted organisations in the financial and accounting sectors in South Africa and other countries.

After observing the presence of this phishing campaign, the Mimecast gateway was updated with an advanced custom rule that directly identified the SHTML construction. This way, Mimecast has been able to prevent phishing emails containing malicious SHTML file attachments from reaching more than 100,000 individual users at financial organisations since April this year.

"This seemingly-innocent attachment redirecting unsuspecting users to a malicious site might not be a particularly sophisticated technique, but it does present businesses with a big lesson. Simple still works. That’s a huge challenge for organisations trying their best to keep their systems secure," says Tomasz Kojm, senior engineering manager at Mimecast.

He adds that businesses should firstly put the right technologies in place to take care of known threats and reduce the number of threats that reach their employees. Secondly, businesses should proactively train their employees to spot malicious emails and the exercise needs to be regular and engaging.

According to Mimecast, 91% of all cyberattacks originate via email and it only takes a momentary lapse in user vigilance for a scam to wreak havoc. Many phishing emails use images in place of written text to evade mail filters, or code obfuscation techniques to prevent detection by security software.

Malicious actors who deploy phishing tactics to obtain sensitive information or to steal money also take advantage of employees' natural emotional reactions such as curiosity, fear, and urgency to lure them into taking urgent actions.

"Phishing is not going away any time soon, so you need to ensure your employees can act as a final line of defence against these threats. Not sure if an email is legitimate? Know that a human that needs your feedback will follow up via a different route. If in doubt, follow the basic rule to ignore, delete and report," Kojm adds.

ALSO READ: Five uncomfortable truths about phishing defence

The following two tabs change content below.

Jay Jay

Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines

Comments

Get the latest cyber news in your inbox

Join our community of cyber professionals today!