قالب وردپرس درنا توس
Home / Technology / New phishing attack uses Morse code to hide malicious URLs

New phishing attack uses Morse code to hide malicious URLs



Morse code

A new targeted phishing campaign includes the new confusion technique of using Morse code to hide malicious URLs in an email attachment.

Samuel Morse and Alfred Vail invented the Morse code as a way to transmit messages over telegraph lines. When using Morse code, each letter and number is coded as a series of dots (short sound) and hyphens (long sound).

Starting last week, a threat player began using Morse code to hide malicious URLs in their phishing scams to bypass secure email portals and email filters.

BleepingComputer could not find any Morse code references previously used in phishing attacks, making this a new confusion technique

The novel Morse code phishing attack

After first learning about this attack from a post on Reddit, BleepingComputer was able to find more examples of the targeted attack that has been uploaded to VirusTotal since February 2, 2021

.

The phishing attack starts with an email claiming to be an invoice for the company with a mail item such as “Revenue_payment_invoice February_Wednesday 02/03/2021.”

Phishing Email
Phishing Email

This email includes an HTML attachment named in such a way that it appears to be an Excel invoice for the company. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML. ‘

For example, if BleepingComputer was targeted, the attachment would be named ‘bleepingcomputer_invoice_1308._xlsx.hTML.’

When you look at the attachment in a text editor, you can see that they include JavaScript that assigns letters and numbers to Morse code. For example, the letter ‘one‘is mapped to’.-‘and the letter’b‘is mapped to’-…‘, as shown under.

Source code HTML phishing attachment
Source code HTML phishing attachment

The script then calls a decodeMorse () function to decode a morse code string into a hexadecimal string. This hexadecimal string is further decoded into JavaScript codes which are injected into the HTML page.

Decoded JavaScript codes
Decoded JavaScript codes

These injected scripts combined with the HTML attachment contain the various resources needed to render a fake Excel spreadsheet indicating that their login was timed out and asking them to re-enter the password.

HTML attachment showing the phishing login form
HTML attachment showing the phishing login form

Once a user has entered their password, the form will send the password to a remote website where attackers can collect the login information.

This campaign is highly targeted, with the threat actor using the logo.clearbit.comservice to insert logos for the recipient’s companies in the login form to make it more compelling. If a logo is not available, it uses the general Office 365 logo, as shown in the image above.

BleepingComputer has seen eleven companies targeting this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti and Capital Four.

Phishing scams are becoming more intricate every day as mail portals become better at detecting malicious emails.

Because of this, everyone needs to be careful about URLs and attachment names before submitting information. If something looks suspicious, recipients should contact your network administrator to investigate further.

Because this phishing email uses dual-extension attachments (xlxs and HTML), it’s important to make sure that Windows file extensions are enabled to help detect suspicious attachments.


Source link