Phishing attack targeting financial organisations using SHTML file attachments
Threats / Phishing attack targeting financial organisations using SHTML file attachments
17 July 2019
Researchers at Mimecast noted that the use of SHTML file attachments in phishing emails is a unique phenomenon and has been observed on very rare occasions. An SHTML file is one that allows a server to look into the contents of a file and modify a file with standard headers, footers, dynamic information, and other information, thereby making web pages more dynamic.
The phishing attack involving the use of SHTML file attachments originated in the UK and while 55 percent of emails that were part of this campaign were distributed in the UK, another 31 percent of such emails were distributed in Australia. A very small number of such emails also targeted organisations in the financial and accounting sectors in South Africa and other countries.
After observing the presence of this phishing campaign, the Mimecast gateway was updated with an advanced custom rule that directly identified the SHTML construction. This way, Mimecast has been able to prevent phishing emails containing malicious SHTML file attachments from reaching more than 100,000 individual users at financial organisations since April this year.
“This seemingly-innocent attachment redirecting unsuspecting users to a malicious site might not be a particularly sophisticated technique, but it does present businesses with a big lesson. Simple still works. That’s a huge challenge for organisations trying their best to keep their systems secure,” says Tomasz Kojm, senior engineering manager at Mimecast.
He adds that businesses should firstly put the right technologies in place to take care of known threats and reduce the number of threats that reach their employees. Secondly, businesses should proactively train their employees to spot malicious emails and the exercise needs to be regular and engaging.
According to Mimecast, 91% of all cyberattacks originate via email and it only takes a momentary lapse in user vigilance for a scam to wreak havoc. Many phishing emails use images in place of written text to evade mail filters, or code obfuscation techniques to prevent detection by security software.
Malicious actors who deploy phishing tactics to obtain sensitive information or to steal money also take advantage of employees’ natural emotional reactions such as curiosity, fear, and urgency to lure them into taking urgent actions.
“Phishing is not going away any time soon, so you need to ensure your employees can act as a final line of defence against these threats. Not sure if an email is legitimate? Know that a human that needs your feedback will follow up via a different route. If in doubt, follow the basic rule to ignore, delete and report,” Kojm adds.