New phishing attack using Morse code
A new phishing campaign includes a new obfuscation technique of using Morse code to hide malicious website addresses in an email attachment.
And (Samuel Morse) Samuel Morse and (Alfred Vail) created Morse code as a way to transmit messages through the telegraph, and when used, each letter and number are encoded in the form of a series of dots (short sound) and dashes (long sound).
Starting last week, an attacker began using Morse code in order to hide malicious website addresses in his phishing model to bypass secure mail portals and mail filters.
There have been no indications of Morse code being used in phishing attacks in the past, which makes this a new jamming technique
After learning about this attack for the first time via a post on the Reddit platform, security researchers found several attack samples that had been uploaded to VirusTotal since February 2, 2021.
The phishing attack begins with an email that pretends to be a company invoice, and that email includes an HTML attachment labeled in such a way that it looks like the company's Excel invoice.
When viewing the attachment in the text editor, it appears that it includes JavaScript instructions for assigning letters and numbers to Morse code.
The JavaScript instructions call the decodeMorse () function to decode the string of Morse code into a hexadecimal string.
This hexadecimal string is also decoded into the JavaScript tags that are injected into the HTML page.
These injected scripts along with an HTML attachment contain many of the resources needed to display a fake Excel spreadsheet that shows a login timeout and prompts them to enter the password again.
After the user enters the password, the form sends the password to a remote site where the attacker can collect the login data.
This campaign appears to be highly targeted, with the attacker using the logo.clearbit.com service to insert logos of recipient companies into the login form to make it more compelling, and if the logo is not available, he is using the generic Office 365 logo.
Eleven companies have been targeted by this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius), NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti and Capital Four.
Phishing is getting more and more complex as mail portals become better at detecting malicious emails.
As a result, you must pay attention to URLs and attachment names before submitting any information.
Given that phishing e-mail uses dual-extension attachments (xlxs and HTML), it is important to ensure that Windows file extensions are enabled to make it easier to detect suspicious attachments.