By Andrew Brandt
It was a particularly busy weekend for spammers, especially the creepy, evil ones who are trying to steal information (as opposed to the merely scungy pill vendors and their ilk). Webroot’s Threat Research team has recently seen a glut of phishing messages which, like most, purport to come from banks and ask you to update your account information. But unlike most phishing messages, which contain a link to a Web site, these phishing messages include an attached HTML file which, in essence, puts the phishing page right on your hard drive.
When launched, the HTML file renders a sparse but effective phishing form in the browser. The pages warn the victim that “This account has been temporarily suspended for security reasons” and ask the victim to “confirm that you are the rightful owner of this account” — by providing the “bank” with a wide range of personally identifiable information they should already have, and never would ask you to provide through a Web-based form in the circumstances described in the message.
These pages also pull graphics from the banks’ Web sites–activity that, when it comes from a phishing site hosted on a server not belonging to the targeted bank, typically alerts the banks to phishy behavior. Because the graphics are loaded only once, from the desktop of the targeted victim, the banks can’t put a stop to it before it’s too late.