Researchers have observed new spear-phishing campaigns aimed at certain organizations or individuals via infected HTML attachments.

The spear-phishing campaign

Researchers have spotted the spear-phishing campaign with a unique string of DH4 VIP3R L337 with 147 lures to steal the credentials of 164 users belonging to financial services and security firms.
  • The attack employed customized HTML attachment payloads aimed at the victims. If opened, victims are directed at a phishing page impersonating a service often used by them. 
  • The HTML attachment file types are excluded from the default blocks used by Secure Email Gateways (SEGs). These SEGs are used in large financial firms for sending encrypted emails.

The HTML attachments are created automatically by a sophisticated payload generator kit. It is not verified yet by the researchers, though the generator kit is being tracked as VIP3R_L33T Generator.

How does it work?

If a victim visits the impersonated phishing pages, they are urged to input their username and password.
  • Once the credentials are provided, they are sent directly to the email address of the attackers.
  • These credentials are then validated and verified on the server-side using PHPMailer library. If verification fails, an error message is sent back to the user via the browser and redirected to the legitimate equivalent page of the phishing website. 
  • If the verification of the victim’s email and password is successful, the client is directed to a PDF hosted on Microsoft OneDrive. 

What to do?

This spear-phishing campaign leverages an easy way of validating victim credentials, besides bypassing the SEG protection. To stay protected, organizations should raise awareness and provide training to their employees in identifying phishing emails and adopt a zero-trust policy with an anti-phishing solution.
Cyware Publisher