Money Transfer Spam Campaign with HTML Attachment

Phishers love to arouse curiosity and/or fear in the user’s mind and this stimulus can compel people to set aside all caution as well as  any safety measures they might have in place to avoid such scams.

In a recent spam sample seen in our probe network, we observed that by taking advantage of human curiosity, users can easily be duped into disclosing sensitive information to unknown persons. In order to ensure awareness of this campaign, and others like it, we will discuss this phishing scam in more detail.

In a slight variation to the telegraphic transfer spam attack seen in the past, we see that the message has a HTML attachment, instead of an archived executable file. As shown in Figure 1, users are advised to confirm a pending transaction with their bank and also told that there is a copy of a bank slip attached.

Figure 1. Spam message with HTML attachment

If the HTML attachment is opened, users are shown an image of a payment order. It is interesting to note that this image is very faint and very difficult to read. Using the HTML tag HTTP-EQUIV "REFRESH", this image disappears after four seconds. This display of the receipt for a small time period is an attempt to arouse enough interest in the user so that they will venture further into the trap.

Figure 2. Copy of bank slip displayed during scam

The page refreshes after four seconds and a popup appears that states that the user has been signed out of their email account and needs to sign in again to view the bank slip.

Figure 3. Pop-up asking user to sign in to email account

On clicking the only optional button, users are shown a website that resembles a well-known bank login page. If users input their bank credentials or their email address on this page, their information is sent to the scammers and may be used for nefarious purposes.

Symantec advises users to avoid clicking on links or opening attachments in unsolicited emails, no matter how much they peak your curiosity with offers of “free” money. Typing your bank’s website directly into the browser instead of using hyperlinks sent by email is also a good habit to ensure your banking credentials remain safe.