A recent research study conducted by Check Point has brought the alarming extent of credential harvesting attacks to light, revealing that they account for a staggering 59% of all cyber attacks. Business Email Compromise (BEC), a fraudulent scheme often involving email spoofing or intrusion, also relies heavily on this attack vector, with credential harvesting playing a role in 15% of such attacks1.
The go-to tactic for cybercriminals is the use of phishing emails loaded with malicious URLs or attachments designed to stealthily harvest user credentials. More than half of these attachments are HTML files disguised as login pages for popular services like Microsoft or Webmail1. This cunning approach tricks unsuspecting users into revealing their sensitive information.
Interestingly, HTML attachments, which constitute an integral part of our daily internet experience, are not typically received via email by the average person. The prevalence of these attachments is an indicator that they are likely a part of a phishing attack.
Unlike most phishing schemes that host fraudulent web pages on the public internet, these HTML attachments host them on the victim’s device, a strategy that effectively sidesteps URL reputation checks. The malicious HTML attachments are often embedded with links, JavaScript, images, HTML entities, and tailored CSS to avoid detection. Moreover, some even employ advanced obfuscation techniques similar to those found in the baseStriker and ZeroFont attacks.
By avoiding the use of URLs, cybercriminals successfully evade having their phishing pages flagged for suspicious activity, making it easier to bypass HTML restrictions in email bodies. This, coupled with the lack of need to host the page on a compromised site, makes credential harvesting attacks particularly easy for cybercriminals to orchestrate.
To mitigate this growing threat, it’s crucial for security experts and users alike to treat emails with HTML or .htm attachments with caution. Moreover, network administrators may want to consider treating these attachments in the same way they would executable files, like .exe or .cab, even going as far as to block them. By doing so, they can significantly reduce their organization’s susceptibility to credential harvesting and BEC attacks.
As cyber threats continue to evolve, the importance of proactive security measures and awareness cannot be overstated. These findings by Check Point provide an eye-opening reminder of the prevalent and sophisticated techniques cybercriminals employ to exploit unsuspecting individuals and organizations.