New Phishing Attack Uses Morse Code to Hide Malicious URLs
upstart writes in with an IRC submission for Fnord666:
New phishing attack uses Morse code to hide malicious URLs:
After first learning of this attack from a post on Reddit, BleepingComputer was able to find numerous samples of the targeted attack uploaded to VirusTotal since February 2nd, 2021.
The phishing attack starts with an email pretending to be an invoice for the company with a mail subject like 'Revenue_payment_invoice February_Wednesday 02/03/2021.'
[...] When viewing the attachment in a text editor, you can see that they include JavaScript that maps letters and numbers to Morse code. For example, the letter 'a' is mapped to '.-' and the letter 'b' is mapped to '-...', as shown below.
[...] The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string. This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page.
[...] These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again.
[...] Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.
This campaign is highly targeted, with the threat actor using the logo.clearbit.comservice to insert logos for the recipient's companies into the login form to make it more convincing. If a logo is not available, it uses the generic Office 365 logo, as shown in the image above.
For extra obfuscation:
- encode a DOT symbol as a space (0x20)
- encode a DASH symbol as a horizontal tab (0x09)
- encode a SPACE symbol as a carriage return (0x0d)
When viewed on a screen or printer, no apparent text would display.
Bonus points for using a Caesar cypher on the hex-encoded text.
Read more of this story at SoylentNews.