Just as this morning, we received a quite different sample of eBay Phish from one of our sources. It arrives as an HTA file named, eBaymessage.hta that displays the message shown below.
As you may noticed, there are no links to be clicked to direct you to the Phishing site nor links that advises you to pay a visit and asks you to disclose critical information but, the trick is, “it’s done!”.
The message is just in plain text but, what you don’t see is the embedded malicious javascript. The malicious script is encoded using the escape() method of javascript. It executes as soon as the HTA file is loaded without noticing it.
Encoded :
Now, what you see below is the decoded malicious script. This is where the Phishing is done. It modifies your hosts file so that the following URL addresses or hostnames on the right will be mapped to the corresponding IP addresses on the left (Phish site). This means, whenever you visit either of the URL addresses on the right you will always resolve to the mapped IP address in the hosts file which, in this case is the IP address of the Phish. Your address bar and status bar will look normal as if you are visiting the real site.
Decoded :
This kind of threat can be avoided if we are just careful on opening attachment/s especially if we don’t know the sender of the email or we don’t expect to receive such email.