By Motti Elloul, VP Customer Success and Incident Response, Perception Point
Email phishing scams are nothing new. But they are growing increasingly prevalent and sophisticated – over 3 billion phishing emails are sent every day, and the tactics used to disguise them are only growing increasingly devious.
One specimen in point: the Incident Response team from our company, Perception Point, recently discovered a new phishing wayfarers that uses HTML files to obfuscate malicious scripts, duping unsuspecting users into inward their credentials and divulging sensitive personal data.
This latest wade strategy underscores the importance of email security, vicarial as the first line of defense, and emphasizes how comprehensive solutions are required to snift and remediate extremely deceptive threats that victorious in enterprise users’ inboxes. These solutions can help take the onus off of employees, reducing the possibility of human error, though naturally they still must exercise unstipulated caution.
How the Wade Works
In this newly identified phishing scam, an attacker sends an email disguised as an urgent company-related payment request with an HTML attachment. Upon opening the HTML file, the user is redirected to a spoofed Microsoft login page, where they are prompted to enter their credentials.
Although this wade may seem like a typical phishing model, it is perhaps increasingly clever than meets the eye, as it is capable of bypassing wide detection methods and here’s why.
When standard email security systems scan the HTML attachment, the only thing they typically lay yellowish is the Base64 encoded object. However, when running the zipper through Perception Point’s solution, dynamically scanning 100% of content that other platforms may overlook, it was discovered that once decoded, the object led to a SVG file encoded as a URL. Only upon decoding the file for a second time was an obfuscated script intended for credential theft exposed.
Pulling When the Layers
Diving into the code, researchers on the Incident Response team managed to locate the source of the uploaded CSS as well as the obfuscated script on the URL that is meant for credential stealing. By going through each step of the attack, the team was worldly-wise to obtain the first URL used in the script to determine where the payload was sent as well as its wordage method: they discovered that the wade was designed to send a POST request to the extracted URL surpassing sending the victim’s credentials as a JSON (JavaScript Object Notation) format file.
Researchers remoter found that the variable marked ‘b’ in the wade had all the CSS base64 encoded. Without probe into a few increasingly decoded variables, the researchers discovered the HTML of the login. They then unswayable that at this point in the attack, the hacker would use a script for stealing the entered credentials utilizing a Base64 encoded “btype” variable. Although the URL write was revealed to be slightly incomplete without a round of decoding, researchers saw that the script would recoup by subtracting the letter ‘h’ to well-constructed it. This made it suitable to host an obfuscated script with the expressed purpose of credential stealing.
Though the sophistication of this wade is alarming, there are likely myriad others like it. Unfortunately, the majority of email security systems lack the topics to peel when these ramified layers.
Catch the Phish
There’s no telling how much increasingly elusive these phishing threats will wilt – this newest wade wayfarers certainly won’t be the last of its kind. In fact, equal to Perception Point’s latest Cybersecurity Trends Report, wide phishing attacks skyrocketed by 436% in 2022.
While it still is good practice for employees to tideway their email-based processes and tasks with circumspection and scrutiny, it is in their organization’s weightier interest to proactively deploy multi-layered security solutions such as those that harness image recognition technologies to snift plane the subtlest of phishing scams. Organizations enjoy firsthand support in preventing and remediating attacks by integrating incident response services into their cybersecurity solutions, powerfully countering perpetrators of phishing attacks.
