This strange new phishing attack uses a surprise bill to trick you into clicking

Researchers uncover a campaign which uses SHTML files - commonly associated with web servers - to direct users to malicious, credential-stealing websites.
Written by Danny Palmer, Senior Writer

Banks and financial institutions around the world are being targeted by a new email phishing campaign which uses an unusual technique as part of its attacks.

The phishing emails come with server-parsed HTML (SHTML) file attachments that are typically used by web servers. If users open the attachments, they're immediately redirected to a malicious site requesting sensitive information, which if entered, falls directly into the hands of cybercriminals – who are believed to be working out of the UK.

Uncovered by threat researchers at cybersecurity company Mimecast, over half of the malicious emails have been sent to targets in the UK, with significant numbers also sent to potential victims in Australia and South Africa. A small number of attacks have targeted inboxes of users in the rest of the world.

SEE: 10 tips for new cybersecurity pros (free PDF)

Banking and finance is the main target of the attacks – although the emails sent to Australia appear to be mainly focused on the higher education sector. However, one thing all the victims have in common is how they sit on vast amounts of login credentials, personal data and financial information, all of which could be very useful – and potentially very lucrative – for hackers.

The campaign started in early April and distribution comes via a tried and tested trick for phishing attacks – simple emails claiming to be a receipt from a payment, which in this case is for thousands of pounds.

The high value is likely to be a ploy to shock victims into clicking on the attachment and providing their credentials to see what the unexpected payment is for. It's a common ploy in attacks – but it works.

"This seemingly innocent attachment redirecting unsuspecting users to a malicious site might not be a particularly sophisticated technique, but it does present businesses with a big lesson. Simple still works. That's a huge challenge for organisations trying their best to keep their systems secure," said Tomasz Kojm, senior engineering manager at Mimecast.

After examining the emails, Mimecast researchers created a custom rule to identify and block these attacks, claiming that over 100,000 individual users have been protected since the signature was set-up.

However, while technology can help prevent cybercriminals successfully conducting attacks, Kolm argued that people are key when it comes to bolstering the defences of an organisation.

"Train every employee so they can spot a malicious email the second it arrives in their inbox. This can't be an annual box-ticking quiz, it needs to be regular and engaging. Phishing is not going away any time soon, so you need to ensure your employees can act as a final line of defence against these threats," he said.

Phishing remains the starting point for the vast majority of cyberattacks and phishing emails have led to some of the most high-profile cyber incidents of recent years.

Preventing phishing attacks is one of the key pillars of the UK National Cyber Security Centre's (NCSC) Active Cyber Defence (ACD) programme and it recently revealed how it helped stop 140,000 separate phishing attacks in 2018 – including one that targeted 200,000 airport customers.


Editorial standards