Scalable Vector Graphics (SVG) files are emerging as a favored method for attackers to evade spam and phishing detection mechanisms, leveraging embedded JavaScript. Recent phishing campaigns employing SVG files have seen a surge, utilizing various themes and obfuscation techniques to redirect unwitting users to malicious sites. The report highlights four specific campaigns showcasing diverse lures and advanced tactics used to compromise victims. Affected: email sector, IT security sector, individuals
Keypoints :
- SVG files can bypass spam and phishing detection by embedding JavaScript within XML data.
- Inline and standalone SVG attachments are used for phishing, with standalone avoiding URL scanning protections.
- Recent phishing campaigns have leveraged themes such as voice messages, document signatures, and payment notices.
- The malicious use of SVG files has increased significantly, with campaigns generating high volumes of spam messages.
- Attackers utilize various obfuscation methods including ECMAScript, base64 encoding, and hex encoding to hide phishing URLs.
- Campaigns feature sophisticated techniques to redirect users to credential harvesting pages.
- Forcepoint’s Email Security and Web Security analytics protect against these threats.
MITRE Techniques :
- Command and Control: Command and Control through malicious SVG files by redirecting users after executing embedded scripts.
- Obfuscated Files or Information (T1027): Using base64, bytearrays, and AES encoding to hide malicious JavaScript and redirect URLs within the SVG files.
- Phishing: Utilizing deceptive email subjects and lures, such as fake voicemail and document signatures, to trick users into opening the SVG files.
Indicator of Compromise :
- [Email Address] TOBi@tobincenter[.]org
- [Email Address] info@cazareinfelix[.]ro
- [Email Address] steve@stackgrouprealty[.]com
- [Domain] vacuumlandos[.]com
- [SHA1] 69c9937ae2ddb81a55385aadb3751e572026fa5d
Full Story: https://www.forcepoint.com/blog/x-labs/obfuscated-svg-files-redirect-victims
Views: 29