The attacks get past spam filters using HTML webpage attachments, rather than traditional phishing e-mails that contain malicious links. "Many browsers utilize anti-phishing filters to help protect users against phishing attacks," US-CERT states. "This method of attack is able to bypass this security mechanism."
US-CERT encourages users and administrators to:
- Not follow unsolicited links or attachments in e-mail;
- Use caution when providing personal information online;
- Verify the legitimacy of e-mail by contacting the sender directly;
- Review common best practices for avoiding e-mail scams and socially engineered attacks.
Neil Schwartzman, founder and chief security specialist at Montreal-based CASL Consulting, says this mode of so-called attachment attack has been growing and has hit several large organizations, including FedEx and Canada Post, in the last month. "It's not even a sophisticated scheme," Schwartzman says. "It's almost unsophisticated, but it's clever."
Because the phishy HTML pages are e-mailed to unsuspecting recipients as attachments, spam filters have no overt URLs to scan and trap. "You create an HTML page and mail it as an attachment that's called a Word doc or a PDF, to trick the content filters," he says. "It's a way to circumvent the spam filter. The victim gets the e-mail, opens the attachment and then is sent to a legitimate website, before being routed to a site that's not legit, where, of course, the victim is asked to enter some kind of account information" or personal identifier, like a U.S. Social Security number.
"Obviously, PayPal is worried about the theft of actual PayPal credentials," Schwartzman says. But the way these phishy forms are set up, fraudsters are out to bilk what they can out of any company or consumer. "They're phishing for any kind of information that can lead to money, whether it is a Social Security number, a PayPal account or credit card information."