Security researchers have spotted an additional revolutionary procedure phishing actors are utilizing to bypass traditional security filters – this time making use of blank images.
The email in concern was detected by Verify Issue small business Avanan, and arrived as a legitimate-seeking DocuSign information.
Whilst the website link in the email physique will consider the user straight to a typical DocuSign website page, the HTML attachment at the bottom was more suspect.
The HTML file in question contained an SVG image encoded with Foundation64.
“At the main, this is an vacant impression with active content inside. In point, there is JavaScript inside the image. This redirects immediately to the destructive URL,” stated Avanan.
“Essentially, the hackers are hiding the destructive URL within an vacant graphic to bypass common scanning companies.”
Clicking on the url would automatically take the consumer to a malicious internet site.
“This is an innovative way to obfuscate the legitimate intent of the message,” the security vendor concluded.
“It bypasses VirusTotal and doesn’t even get scanned by classic Simply click-Time Defense. By layering obfuscation on obfuscation, most security providers are helpless in opposition to these attacks.”
It can be observed as a variation on a prior “MetaMorph” attack spotted by Avanan quite a few many years ago, in which phishing actors use “meta refresh” to redirect the consumer from the HTML attachment hosted locally to a phishing web site on the public internet. A meta refresh is features that instructs a web browser to instantly refresh the recent web site after a supplied time interval.
To mitigate the risk, security admins are urged to be suspicious of, or outright block, HTML or .htm attachments in any inbound email messages – dealing with them efficiently like executables.
Some parts of this article are sourced from:
www.infosecurity-magazine.com