During this campaign, Palo Alto Networks observed attacks against organizations in various industries (such as education, government, energy, manufacturing, construction and telecommunications) all over the world, including the United States, the United Kingdom, France, Japan, Korea and Italy. Emotet is one of the most popular malware families distributed via phishing emails. Domain registration abuse: We observed the malicious life cycle of the domain valleymedicalandsurgicalcliniccom, which is no longer active, as part of a global Emotet campaign.In this blog, we further investigate the domain parking ecosystem and outline different types of abuse, including: Compared to a benign domain (such as computer and internet info or shopping), a parked domain has an eight times higher probability of changing its category to one of the above non-benign categories. Out of the transitioned parked domains, 1.0% changed to malicious categories (such as phishing or malware) 2.6% changed to not safe for work categories (such as adult or gambling) and 30.6% changed to suspicious categories (such as questionable or high Risk). In the same time frame, we observed that 6 million parked domains have transitioned to other categories. From March to September 2020, we identified 5 million newly parked domains. We have been detecting parked domains for more than nine years. While domain parking might appear harmless at first glance, parked domains pose significant threats, as they can redirect visitors to malicious or unwanted landing pages or turn entirely malicious at any point in time. McAfee customers are protected against this phishing campaign.Domain parking services offer a simple solution for domain owners to monetize their sites’ traffic through third-party advertisements. To stay protected, users should keep their system up-to-date and refrain from clicking links and opening SHTML attachments that comes through email from untrusted sources. A blurry image is enough to trick many users into believing the email as legitimate. This blurry image phishing scam uses simple basic HTML and JavaScript code, but it can still be effective. It is a widespread and pervasive problem. To conclude, phishing is a form of social engineering in which attackers trick people into disclosing confidential information or installing malware. To prevent the user from recognizing that they’ve just been phished, the attacker redirects the user’s browser to an unrelated error page that is associated to a legitimate website.īelow Figure 11. shows the Form blocked due to suspected fraudulent activity. Known malicious forms may be blocked, preventing the form submission data from being sent to the attacker. shows the flow of user submission data from webpage to attacker email address. Subsequently, Formspree.io forwards the information to the specified email address. When the user enters the credentials and hits the “submit” button, the data is sent to Formspree.io. Formspree.io as action URL with POST method shows the code snippet for action URL that works in conjunction with POST method.įigure 8. The attackers use the formpsree.io URL as an action URL which defines where the form data will be sent. ![]() ![]() It takes HTML form submissions and sends the results to an email address. Phishing attacks abuse static form service providers to steal sensitive user information, such as Formspree and Formsparkįormspree.io is a back-end service that allows developers to easily add forms on their website without writing server-side code, it also handles form processing and storage. The blurred images are taken from legitimate websites such as: In some cases, the email address is prefilled.Īttackers commonly use JavaScript in the SHTML attachments that will be used either to generate the malicious phishing form or to redirect or to hide malicious URLs and behavior.īelow is the code snippet that shows how the blurred background image is loaded. To read the document, however, the user must enter his/her credentials. When the SHTML attachment is clicked, it opens a blurred fake document with a login page in the browser as shown in Figure 3. The sentiments used in such phishing emails include a payment confirmation, invoice, shipment etc., The email contains a small thread of messages to make the recipient more curious to open the attachment. ![]() McAfee Client Detection of SHTMLĪttackers victimize users by distributing SHTML files as email attachments. shows the geological distribution of McAfee clients who detect malicious SHTML files.įigure 1. The SHTML files are commonly associated with web servers redirecting users to malicious, credential-stealing websites or display phishing forms locally within the browser to harvest user-sensitive information.įigure 1. In this wave, the attacker has been abusing server-parsed HTML (SHTML) files. McAfee Labs has recently observed a new wave of phishing attacks.
0 Comments
Leave a Reply. |