Yesterday I came across a phishing email with an attachment Po.zip.
First I was happy because I was expecting another piece of malware for dissection. However, opening the zip file was a disappointment. It was just a plain old HTML.
However I still controlled myself from opening it directly in the browser, and viewed its source code instead. There was another disappointment – no obfuscated scripts or drive-by malware.
So I opened it in the browser, and this is how it looked:
Following the link took me to a standard phishing page that asks me for a my email address, password and phone number in order to view the document.
On submitting the details, a dummy invoice is downloaded which is a perfectly safe PDF. But the attacker already has your email address, password and phone number. That is, if you submitted a real one.