{“lastseen”:”2025-11-11T14:05:15″,”description”:”This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up\u2014precisely because it\u2019s so easy to follow what they’re up to.\\n\\nThe email is direct and to the point. Not a lot of social engineering happening here.\\n\\n\\n\\n\\u003e \u201cDear ,\\n\\u003e \\n\\u003e Pls kindly find the attached PO please send us PI once its available.\u201d\\n\\nThe sender’s address belongs to a Czechoslovakian printing service (likely compromised), and the name and phone number are fake. The target is in Taiwan.\\n\\nThe attached `.shtml` file is a tidy fake login screen that doesn\u2019t really specify which credentials they want:\\n\\n\\n\\nThe pre-filled email address in the screenshot is a fake one I added; normally it would be the target’s email.\\n\\nWe assume the phisher welcomes any credentials entered here, and are counting on the fact that most people reuse passwords on other sites. \\n\\nUnder the hood, the functionality of this attachment lies in this piece of JavaScript.\\n\\n\\n\\nIt starts with simple checks to make sure all the fields are filled out and long enough before declaring the Telegram bot that will receive the login details.\\n\\nUsing Telegram bots provides the phishers with several advantages:\\n\\n * Stolen credentials are delivered instantly to the attacker via Telegram notifications. No need for the phisher to keep checking a database or inbox.\\n * Telegram is a legitimate, globally distributed messaging service, making it difficult to block.\\n * There’s no exposed web server or obvious phishing \\”drop site\\” that can be blocklisted or shut down.\\n\\n\\n\\nThe last line contains a credibility trick:\\n\\n`setTimeout(() =\\u003e {window.location.assign(\\”file:\/\/\/C:\/Users\/USER\/Downloads\/Invoice_FAC_0031.pdf\\”)}, 2000);`\\n\\nThis tries to open a file on the user\u2019s computer after waiting 2 seconds (2,000 milliseconds). Since this file almost certainly doesn’t exist, the browser will either block the action (especially from an email or non-local file) or show an error. Either way, it will make the login attempt look more legitimate and take the user\u2019s mind off the fact that they just sent their credentials who knows where.\\n\\nThat\u2019s really all there is to it, except for a bit of code that the dungeon-dweller forgot to remove during their copy-and-paste coding. Or they had no idea what it was for and left it in place for fear of breaking something.\\n\\n\\n\\nI suspect the attacker originally used this code to encrypt the credentials with a hardcoded AES (Advanced Encryption Standard) key and injection vector, then send them to their server.\\n\\nThis attacker replaced that method with the simpler Telegram bot approach (much easier to use), but left the decryption stub because they were afraid removing it would break something.\\n\\n## Don\u2019t fall for phishing attempts\\n\\nEven though the sophistication level of this email was low, that does not reduce the possible impact of sending the attacker your credentials.\\n\\nIn phishing attempts like these, two simple rules can save you from lots of trouble.\\n\\n * Don\u2019t open unsolicited attachments\\n * Check if the website address in the browser matches the domain you expect to be on (e.g. adobe.com).\\n\\n\\n\\nOther important tips to stay safe from phishing in general:\\n\\n * Verify the sender: Always check if the sender\u2019s email address matches what you would expect it to be. It\u2019s not always conclusive but it can help you spot some attempts.\\n * Check through an independent channel if the sender actually sent you an attachment or a link.\\n * Use up-to-date security software, preferably with a web protection component.\\n * Keep your device and all its software updated.\\n * Use multi-factor authentication for every account you can.\\n * Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.\\n\\n\\n\\nIf you already entered credentials on a page you don\u2019t trust, change your passwords immediately.\\n\\n**Pro tip:** You can also upload screenshots of suspicious emails to Malwarebytes Scam Guard. It would have recognized this one as a phishing attempt.\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we\u2019ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!”,”published”:”2025-11-11T13:17:43″,”modified”:”2025-11-11T13:17:43″,”type”:”malwarebytes”,”title”:”How credentials get stolen in seconds, even with a script-kiddie-level phish”,”source”:””,”references”:””,”id”:”MALWAREBYTES:8E38A4670BDEC8913F833D1A8F1D8E88″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2025\/11\/how-credentials-get-stolen-in-seconds-even-with-a-script-kiddie-level-phish”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-11T14:05:15″,”description”:”This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-25663","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n