To get around phishing blacklists in browsers, scammers are luring people by using HTML attachments instead of URLs, a security firm is warning.
Chrome and Firefox are good at detecting phishing sites and warning Web surfers via a browser notice when they are about to visit a site that looks dangerous. So good, in fact, that scammers are resorting to a new tactic to lure victims into their traps via e-mails--attaching HTML files that are stored locally when they are opened, according to an M86 blog post yesterday.
After the user fills in a form with the information the scammers want to steal and clicks "submit," the HTML form sends the data through a POST request to a PHP (Hypertext Preprocessor) script hosted on a legitimate Web server that has been compromised. (POST is used when a computer is sending data over the Internet to a Web server.) Because few PHP URLs are reported as abuse, this action does not trigger a warning from the browser, M86 said.
"Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective," the blog post says. "Logically, however, the browser should be able to detect a URL when the browser sends the POST request."
The phishing URLs alone without the HTML form are hard to verify because the PHP script runs in the server and no visible HTML is displayed after clicking the submit button, other than redirecting to a page belonging to the company the scammer was pretending to be, the post says.
To protect against this, people should avoid opening HTML attachments if the e-mail seems suspicious and not provide any information in forms. Financial institutions do not send such attachments to customers.
While many people will click on a link in an e-mail that looks like it comes from their bank, fewer are likely to open the HTML attachment.
Mozilla representatives did not provide comment on the report today. Meanwhile, a Google spokesperson provided this comment: "Google has a number of defenses against phishing sites to help protect our users. For example, Gmail checks HTML attachments for phishing sites and displays a warning to users when one is detected. We always encourage users to be cautious when handling unexpected attachments and when providing personal information requested by email."
Posted In : Security
Those e-mails appear to come from the British Red Cross. They provide some news on the earthquake and tsunami in Japan and urge people to donate to a Yahoo e-mail address on a Moneybookers account, a money transfer service that enables recipients to remain anonymous, according to App River, an e-mail hosting and security services provider.
However, real charities have e-mail addresses with their own domain and typically send people to their own Web site to make donations.
E-mails seeking "donations" via random payment services are just one way scammers can exploit catastrophes. E-mails can also include links or attachments that lead to phishing or malware-hosting Web sites. And scammers can sneak Web sites hosting malware into Web searches based on popular search terms and even create new topical Web sites solely for the purpose of hosting malware.
Here are tips for avoiding scams that piggyback on disasters and other high-profile events:
• Do not follow unsolicited Web links or attachments in e-mail messages. Be particularly cautious about clicking on photos and videos that purport to show dramatic images or footage of disasters as they can be used as bait and lead to malware.
• Keep your antivirus and other software up to date.
• Verify the legitimacy of the e-mail by going directly to the charity's Web site or calling the group.
• Find out details about the organization by searching on the Better Business Bureau's site, or GuideStar. Attorneys general often have searchable databases of charitable groups in their states. (California's, for example, is here.) The U.S. Agency for International Development (USAID) also has valuable information about how best to help victims in international disasters.
• Be wary of sites that resemble legitimate organizations or that have copycat names that are similar to reputable organizations. For instance, most legitimate charitable organizations will have a Web address that ends in ".org" instead of ".com."
• Be skeptical of people claiming to be survivors and asking for donations via e-mail or social networks.
• Ask how much of the donation goes to charity and how much goes to administration.
• Use credit cards or checks; do not send cash. Do not make checks payable to an individual. Only provide your credit card information once you feel certain that the organization is credible and do not use money payment services to make contributions.
• Do not feel pressured into giving donations.
Update 11:45 a.m. PT: GFI Labs blog is reporting on Twitter spam with a link that leads to a brand new site purporting to sell an electronic book on how to "minimize your chances of [getting] radiation sickness." And Sophos reports on malware circulating that poses as links to videos about the Japanese tsunami, as well as dangerous links sent via Twitter notifications.
Update 2:42 p.m. PT: GFI Labs blog is reporting about e-mails coming from "ICRC Basedhelping Foundation" that are seeking disaster donations. Kaspersky also is reporting about Japan quake-related e-mails with links in them that lead to pages with Java exploits designed to install malicious programs.
Update 4:42 p.m. PT: Sophos reported over the weekend about a clickjacking attack in which Facebook users were tricked into liking a YouTube video link that purported to show video of a whale hitting a building during the tsunami in Japan.
Posted In : Security