Adversaries Target Mobile Users With Well-Spoofed HTML Files in New Phishing Attack

  • This phishing file comes attached in an email.
  • The phishing emails purport to come from the UK telecom provier Three through a legitimate-looking email address, ‘online@three[.]co[.]uk’.

A phishing attack directed at the customers of a UK telecom provider has been uncovered recently. The attack purports to come from Three, a British telecommunications and internet service provider.

How does it operate?
  • The Cofense researchers revealed that the attack relies on a well-spoofed HTML file that prompts users to share their personal and credit card details. This phishing file comes attached in an email.
  • The targeted customers are informed that their bill payment could not be processed by the bank and are therefore asked to download the HTML file ‘3GUK[.]html’ to edit their billing information to avoid suspension of service.
  • Further investigation revealed that the source code is a clone of actual HTML code on a legitimate page of the UK-based telecom provider Three. In order to make it look convincing, the email includes ‘online@three[.]co[.]uk’ as the sender email address.
  • Any information provided by a victim is processed by the ‘processing[.]php’ script located at hxxp://joaquinmeyer[.]com/wb/processing[.]php, a domain the adversaries have compromised.

Final words
Users should always be wary of unsolicited requests to download and open HTML/HTM file attachments. These attachments are used as a channel by attackers to distribute malware designed to steal personal information from users.