A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.
According to M86 researcher Rodel Mendrez, the locally stored file opens a web form that collects the customers' login credentials, credit card numbers and other sensitive information and then uses a POST request to zap them to a PHP application on a legitimate website that's been compromised. By avoiding the use of more verbose GET requests and known phishing sites, the scam flies completely under the radar of the browsers' fraud protection features.
“While the POST request sends information to the phisher's remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity,” Mendrez writes. “Months-old phishing campaigns remain undetected, so it seems this tactic is quite effective.”
There's no technical reason why the browsers can't flag the URL that accepts the POST request. Mendrez posits that few PHP URLs get reported as abusive by most end users because of the technical expertise that's required. With not visible HTML accompanying them, there's little for the average user to go on.
The tactic is similar to one M86 reported last month that embedded self-extracting archive files in phishing emails and also used compromised legitimate sites to bypass anti-phishing protections.
Junk food maker Frito Lay, by the way, was one of the companies whose websites was hacked to host the PHP script, Mendrez says. The malicious app has since been removed.
There was no mention how Microsoft Internet Explorer responds to the HTML forms. ®