Security researchers have discovered another innovative technique used by phishers to bypass traditional security filters. I’m using a blank image this time.
The email in question was detected by Check Point’s business, Avanan, and arrived as a legitimate-looking DocuSign message.
The link in the email body takes the user directly to the regular DocuSign page, but the HTML attachment at the bottom was more suspicious.
The HTML file in question contained a Base64 encoded SVG image.
“Essentially, it’s an empty image with active content. In fact, there’s JavaScript inside the image, which automatically redirects to a malicious URL,” Avanan said.
“Essentially, hackers are hiding malicious URLs inside blank images to bypass traditional scanning services.”
Clicking on the link automatically directs the user to a malicious site.
“This is an innovative way of obfuscating the true intent of the message,” concludes the security vendor.
“Bypasses VirusTotal and is not even scanned by traditional time-of-click protection. Obfuscation upon obfuscation renders most security services powerless against these attacks.”
This can be seen as a variation on the previous “MetaMorph” attack discovered by Avanan several years ago. In this attack, phishing actors use a “meta refresh” to redirect users from a locally hosted HTML attachment to a phishing page on the public internet. Meta refresh is a feature that tells your web browser to automatically refresh the current her web page after a specified time interval.
To mitigate the threat, security administrators are advised to suspect or block HTML or .htm attachments in incoming emails, effectively treating them like executable files.
