Connect with us

Hi, what are you looking for?



Phishers Adopt Malware Distribution-Like Tactics

A recently detected phishing campaign designed to steal credit card information employed a series of attack tactics previously associated with malware distribution, Proofpoint security researchers reveal.

A recently detected phishing campaign designed to steal credit card information employed a series of attack tactics previously associated with malware distribution, Proofpoint security researchers reveal.

The technique involves the distribution of a malicious document inside a .zip archive that is password-protected. The archive is attached to an email and the password to open it is included in the email body. Most recently, the method was used to distribute the Cerber ransomware (the campaign also dropped the Ursnif banking Trojan).

Recently, phishers decided to adopt the technique and adapt it to their needs in an attempt to steal banking data. However, instead of an Office document, this attack uses an HTML attachment that has been password-protected.

As expected, the email message is personalized with the recipient’s name, as well as with what supposedly represents the first digits of their credit card account number. However, since these digits are standardized, this apparent personalization is only meant to create a sense of legitimacy for the carefully crafted emails without requiring actual knowledge of a potential victim’s actual card number.

Furthermore, the spam emails use stolen branding and social engineering tactics to create a sense of urgency and trick the user into giving away their credit card information: recipients are told they need to update their security information for their “new chip card.”

The HTML attachment used in this campaign was found to be XOR-encoded to make dynamic analysis more difficult. According to Proofpoint, the password protection is implemented with the help of JavaScript. A script named pah.js is used to decrypt the XOR-encoded HTML when the user enters the password.

As soon as the user enters the password provided in the email body and the HTML attachment is decrypted, a fairly typical credit card phishing template complete with stolen branding is displayed. The same as in credential phishing attacks performed via HTTP POST, users are required to enter their credentials in the form.

The use of a password-protected attachment is meant not only to make detection and analysis more difficult, but also to convince users that the email is legitimate. The fact that the password is included in the email body also adds to this sense of legitimacy, in addition to making it easy for the recipients to open the attachment.

Advertisement. Scroll to continue reading.

“Credential and credit card phishing are nearly as old as cybercrime itself. This hasn’t stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security,” Proofpoint researchers note.

Related: Backdoored Phishing Templates Advertised on YouTube

Related: Cybercriminals Use New Tricks in Phishing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...