Cybercriminals’ creativity knows no boundaries. That is obvious in their new phishing campaign: using Morse code’s dots and dashes to disguise their attacks.
Microsoft Disects Peculiar New Phishing Campaign
A phishing attack group’s strategies have caught Microsoft’s eye due to their ‘jigsaw puzzle’ technique and unusual features such as Morse code dashes and dots used to hide attacks.
The cybercriminals grouping uses invoices in Excel HTML or web documents to spread credential-stealing forms for later attacks. This method stands out because it goes unnoticed by traditional email filter systems.
“The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments.
In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.”
Microsoft Security Intelligence
The attackers’ main purpose is to gather usernames and passwords, but they also collect profit data such as IP address and location to use in further data breach attempts. “This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls,” Microsoft said.
The new phishing campaign falls within the business email compromise category, a scam more profitable than ransomware. Phishing attacks cost Americans over $4.2 billion in 2020, according to the FBI’s latest statements. BEC is far more expensive than ransomware attacks. It relies on compromised email accounts or email addresses similar to legitimate ones, which are particularly difficult to filter because they blend in within usual, expected traffic.
“The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line,” Microsoft warned.
Excel and the finance-related subject encourages targets to give away their credentials
“Using xls in the attachment file name is meant to prompt users to expect an Excel file. Instead, when the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”
The attack uses the Morse Code jointly with JavaScript, the most famous programming language amongst web developers.
“Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves,” Microsoft said.
2021 (“Payroll”) waves,” Microsoft notes.
“In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile, in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.” The use of Morse code in the new phishing campaign was first discovered by Bleeping Computer’s Lawrence Abrams in February this year.
Here, at ATTACK Simulator, we take cybersecurity seriously. We know that phishing attacks can strike at any time, which is why we focus on training, educating, and equipping your staff with the best up-to-date security practices they need to detect and prevent phishing attempts.
Educate your employees on cybersecurity with ATTACK Simulator’s realistic 4-Step Phishing Simulations.
Your company’s safety and future are in your hands and, perhaps most importantly, your employees’ hands. Get your quote here.
Sources:
ZDNet www.zdnet.com/article/microsoft-watch-out-for-this-sneakier-than-usual-phishing-attack/
Microsoft www.microsoft.com/attackers-use-morse-code-in-evasive-phishing-campaign/
Attribution:
Feature Image: Photo by Chris Curry on Unsplash
