Under the phishing filters' radar

Criminals are reportedly using a new phishing technique that allows them to bypass the fraud warnings issued by modern browsers such as Firefox and Chrome. On its blog, security firm M86Security reports that the trick involves attaching an HTML document instead of sending a link. It remains unclear how many users have become victims so far.

Email recipients opening the HTML document in their browsers are, for example, presented with a bogus PayPal form with the usual request to enter their access data due to alleged security issues. As the form is being processed locally on the user's computer, the phishing filter doesn't issue a warning because it only filters external URLs. A click on the "Submit" button then transmits the entered data to a PHP script on a (hacked) server using a POST request. According to M86Security, the browser doesn't warn about this either.

While browsers should at least warn users when sending the data, M86Security stated two potential reasons why they won't: as users don't see the URL they access via POST requests, they can't report it, and consequently the URL is missing in the browser filter's blacklist. The company added that most users can't make anything of the HTML source code that is attached to the email.

Secondly, M86Security said that URLs which lead to a PHP script are very difficult to classify as phishing sites. It is reportedly hard to identify a phishing site without the accompanying HTML code which could, for instance, reveal whether a site pretends to be a banking site. This has apparently caused months-old phishing campaigns to remain undetected. The security firm didn't state whether its assessment only refers to the filter lists maintained for Chrome, Firefox and other browsers, or whether it also includes those of the AV vendors, who maintain separate lists for their own filter products.

(crve)