A recent round of phishing attacks targeting customers of Bank of America and PayPal circumvent fraud protections built in to the Mozilla Firefox and Google Chrome browsers by attaching an HTML file to the spam email.
According to M86 researcher Rodel Mendrez, the locally stored file opens a web form that collects the customers' login credentials, credit card numbers and other sensitive information and then uses a POST request to zap them to a PHP application on a legitimate website that's been compromised. By avoiding the use of more verbose GET requests and known phishing sites, the scam flies completely under the radar of the browsers' fraud protection features.
