Kaspersky experts are warning users about the growing threat coming from the increased numbers of phishing emails containing HTML files.

From January to April 2022, Kaspersky researchers blocked nearly 2-million phishing emails containing HTML attachments.

Using HTML files in phishing letters is one of the latest and popular tricks abused by fraudsters. Usually, such links are easily detected by anti-spam engines or antivirus software but using HTML attachments has allowed cybercriminals to avoid detection.

Many users aren’t even aware that files in phishing emails can be insecure, so they unsuspectingly open these HTML attachments, which turn out to be dangerous and targeted weapons used by cybercriminals.

Fraudsters can stylise HTML attachments to make them look identical to the pages on a company’s official website. They target the official website’s users and copy its style, images, scripts and other multimedia components, using it as bait to trick their victims into entering vulnerable data in the phishing form.

There are two main types of HTML attachments used by cybercriminals: HTML files with a phishing link or entire malicious pages. In the first case, attackers will send an HTML file with text inside, claiming to have important data, such as a bank’s notification about a large transfer attempt.

The user is prompted to click on a link to the bank’s site, to stop the transaction, which instead leads to a phishing page. In some cases, the victim doesn’t even have to click the link. When the user tries to open the HTML attachment, it will automatically redirect them to a malicious site.

Once on this page, victims are requested to fill out a data-entry form to review business-related files, protect their bank account or even receive a government payment. It is only later that the victim finds out they’ve had their personal data and bank details stolen.

The second type of HTML attachments are entire phishing pages. These files allow cybercriminals to save on hosting fees and avoid using websites because the phishing form and the script used to collect data are fully contained within the attachment.

Used as a phishing site, the HTML file can also be personalised, depending on the intended target and the attack vector used to gain the victim’s trust. For example, a fraudster could distribute a phishing email among the employees of a company, appearing as though it’s asking to verify a contract, but is actually a malicious HTML file. Such attachments will have all the visual attributes of that company: logo, style and even the name of the boss as its sender.

Inside the file, the victim is requested to enter the login and password for their corporate account in order to access the document. This data then falls directly into the hands of the cybercriminal, who can use this information to break into the company’s corporate network.

While security solutions can already block emails containing HTML attachments with malicious scripts or phishing links in plain text, cybercriminals are now using different tactics to avoid being blocked. For example, fraudsters often distort the phishing link or the whole HTML file with muddled or garbage code. Although this junk and incoherent text doesn’t appear on the user’s screen, it still makes it harder for anti-spam engines to detect and consequently block the email.

“Cybercriminals use cleverly disguised requests for login credentials to dupe unsuspecting victims into entering their usernames and passwords. Every year we block millions of phishing pages and this number is only expected to grow, meaning users must stay alert and be aware of the danger that these emails can bring. Cybercriminals have created a complex and advanced infrastructure where even novice scammers can create thousands of phishing pages, using ready-made templates, then target a vast range of users. With any amateur now able to create his own phishing page, you have to be particularly careful when opening any links from an email or messaging service,” comments Roman Dedenok, security researcher at Kaspersky.