Analysis of HTML Phishing Campaign

Phishing attack is a kind of social engineering where it’s the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through e-mail with attachment files. The main goal is to steal sensitive data like credit card and login credentials like username & password etc.

Target – Internal Revenue Service (IRS), a social media company, or any banking sector.

Goals – Stealing personal data or financial information.

Infection Chain

Usually, phishing campaigns infect the victims through initial infection vectors of embedded attachments, javascript shellcode, and/or malspam e-mails. This kind of e-mail file comes with attachment files of HTML/JS files. In this sample, the .html file is embedded with .JS script with malicious URL to download the payload file, likewise it uses known infection from [XXXX.com] domain in-order to download the payload files.

Psychology 101- What’s the psychology behind phishing attacks?

Let’s walk you through a few psychological concepts associated with phishing here.

Reciprocity in social situations, helping a coworker, and consistency when paying your vendor or contractor on time, maybe considered as examples of influence over a victim clicking a phishing e-mail link. According to Tessian’s Research report Psychology of Human Error 2022, a follow-up to their 2020 report with Stanford University, 52% of people clicked on a phishing e-mail because it looked as though it had come from a senior executive at the company — up from 41% in 2020.

Also, weary workers were more likely to make mistakes, which threat actors frequently tend to prey upon. Most phishing attacks are delivered between 2 and 6 p.m., Tessian revealed in 2021, the post-lunch dip when staff members are most likely to be fatigued, distracted or preoccupied – making them more prone to click on a phishing link.

Employees may be hesitant to report the phishing incident after realising they were duped and acted out of misplaced trust. They are likely to feel bad, or feel guilty about themselves and may even face repercussions from their employer. The best-case scenario is to report the incident to IT / IT Sec team.

Employees falling prey to phishing attempts and then brushing it under the rug is how a cyber event can escalate into a large-scale cyber incident. Instead, organisations should foster an open dialogue about phishing & similar cyber threats fostering a culture in which cyber security becomes a shared responsibility.

Recent phishing campaigns that we have seen in the last 18 months through LMNTRIX CDC include;

• COVID-19 Scams: Hackers have used the pandemic to prey on people’s fears and anxieties. They may e-mail or, contact you about COVID-19 vaccine discounts or freebies, but they’re trying to steal your personal information.
• Fake bank alerts: Fake bank alerts are another prevalent occurrence used by phishing groups. The bank’s notice may indicate your account has suspicious behavior, request you to change a password, and/or ask you to click a link (with a drive-by download) to fix it. The link leads to a bogus website where hackers can steal your login details using info-stealer malware.
• Fake Job Offers: Fraudsters may e-mail you a job offer from a well-known organisation using open mail relays. They ask for your Social Security number and bank account information to “process your application.” But what they’re really after is your identity, personally identifiable information and your money.

Always go with your gut instinct when you suspect a particular e-mail attachment, or link, as the old saying goes, “If anything appears too good to be true, it probably is!”

Sample Information

Anatomy of malicious HTML files

An HTML file contains Hypertext Markup Language that formats the structure of a webpage. HTML code is based on tags, or hidden keywords, which provide instructions for formatting the document.

Types of HTML files:

1. Transitional:
   Transitional is the most common type of HTML. It has a flexible syntax, or grammar and spelling component. Over the years, transitional HTML has been used without syntax restrictions, and browsers support a ‘best effort’ approach to reading the tags. If tags are misspelled, the browsers do not correct web developers’ errors, and they display the content anyway. Browsers do not report HTML errors – they simply display what they can. This is the ‘best effort’ concept.
2. Strict:
   The strict type of HTML is meant to return rules into HTML and make it more reliable. For example, the strict type requires closing all tags for all opened tags. This style of HTML is important on phones, where the processing power may be limited. A clean and error-free code helps to load pages faster.

Technical Analysis of HTML Phishing Sample

Snap 1: Static View of the Sample Code

Snap 2:  Sign_In page

Snap 3:  Phishing URL

Snap 4: Creation of the FORM

Snap 5: Method FORM_ACTION

Snap 6: Initial – Indicator of Compromise [IOC]

Snap 7: AV Vendor Results

Goals of Phishing Attack

The main goal of a phishing attack is to steal personal or financial information. First we should identify and understand what data is at risk, next we assess why it’s important for adversaries to hack. Once the data is stolen, they will sell username, passwords, location, identity proof and relevant PII information on the dark web to either cashout with data dumps, or demand a ransom from the owner.

Here are different ways the attackers can make money from your data:

• Steal data for personal gain.
• Selling data on the dark web.
• Obtain data for another entity which will act as a info-stealing service, or hacking as a service.

How to prevent Phishing attacks?

• Never trust any alarming messages.
• Employ common sense before handing over sensitive information.
• Do not open attachments from unknown persons.
• Avoid clicking embedded links from unknown resources and hyperlinks.
• Ensure your software and operating system is updated periodically

Indicators of Compromise – HTML Phishing Sample