Home Cyber Attack Phishing Campaign Tricks Users Via SHTML File Attachments

Phishing Campaign Tricks Users Via SHTML File Attachments

by Abeerah Hashim
WHO Coronavirus Phishing

One more phishing scam has caught the attention of the researchers. Again, researchers have caught an email phishing campaign that tricks users via fake bills. However, this one is unique in that it abuses SHTML File attachments in the emails.

Phishing Attack Exploiting SHTML File Attachments

Researchers at Mimecast have come across another phishing campaign bluffing users. This time, the attack exhibits slightly different behavior. Specifically, it makes use of SHTML file attachments in emails to trick users.

As stated in their blog post, the use of SHTML files is weird in that these files are predominantly related to web servers. The attack begins in the usual way – sending phishing emails to the victims. These emails appear as a receipt for some bill payments, viewing which requires the users to click on the attachment.

Here’s how the emails look like.

SHTML file billing phishing

Source: Mimecast

Upon clicking the attachment, the victim reaches the actual phishing site asking for information. A closer inspection of the attachment reveals that these attachments help emails evade URL analysis by antimalware tools. (We previously reported a similar phishing scam evading security measures by masking the URLs in QR codes.)

These SHTML files contain JavaScript code masking the actual URL.

code SHTML file attachments phishing

Source: Mimecast

The moment a user clicks on the attachment, they are redirected to the phishing site, where they should supposedly enter the required sensitive details.

Dear UK Users, Stay Careful!

According to the researchers, this phishing attack seems to originate from the UK. Eventually, a major part of this campaign resides in the UK, followed by Australia and South Africa.

Overall, 55% of this campaign was distributed in the UK, 31% in Australia, 11% in South Africa and 3% elsewhere.

In South Africa and the UK, the prime targets seem to be the accounting and finance sectors. Whereas, in Australia, the attack seems targeted towards the education sector.

Nonetheless, this doesn’t mean that the other users should ignore such phishing campaigns. As always, everyone should remain vigilant while dealing with emails, and opening attachments, both at an individual and business level.

You may also like