Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Avanan. Show all posts

Phishing Scam Blank Image Masks Code in SVG Files

 

Researchers from Avanan have seen the worldwide spread of a new threat known as 'Blank Image,' where hackers attach blank images to HTML messages. The user is instantly sent to a malicious URL once they open the attachment.

Blank Image attack 

Based on the bogus emails, you need to sign a DocuSign document. It is cryptically called "Scanned Remittance Advice.htm". An SVG picture encoded with Base64 is in the HTML file, these SVG vector pictures encoded in HTML attachments are used by scammers to get around the security features that are often turned on automatically in email inboxes. 

SVGs, are based on XML and are vector images, that can contain HTML script elements, in contrast to raster images like JPG and PNG. An SVG image is displayed and the JavaScript embedded in it is executed when an HTML document uses a <embed> or <iframe> tag to display the image.

Although the message's body seems fairly safe, opening the HTML attachment lets its malicious payload loose on your device. This file contains the attack's script rather than the XML information that a typical SVG would include.

As per researchers, this is a creative approach to mask the message's genuine intention. It avoids being scanned by conventional Click-Time Protection and VirusTotal, most security services are defenseless against these assaults because of the piling of obfuscation upon obfuscation.

Therefore, users should keep away from any emails that have HTML or.htm attachments. Administrators should consider preventing HTML attachments and treating them the same as executables (.exe, .cab).

This attack can be linked to a prior 'MetaMorph' assault initially discovered by Avanan a few years ago, wherein phishing actors employ meta refresh to drive users away from a locally hosted HTML attachment and onto a phishing website on the open internet. A meta refresh is a feature that tells a web browser to automatically reload the current web page after a specified amount of time.

HTML-containing emails and .HTM attachments should be handled carefully by users. Avanan also advises admins to think about blocking them.







Hacker Employ Milanote App for Spreading Phishing Email

 

The usage of collaborative applications had been a major victory with the pandemic. That incorporates Microsoft Teams, Google Meets, Zoom, and many others. Indeed, the software on the web makes brainstorming, designing, and collaborating with team members easier for all kinds of concepts. 

Milanote is among the most popular apps used in this period. It is recognized as an application for creators to note, compile and collaborate. It is used for sorting notes, gathering ideas, structuring activities - workflows, and much more. Companies mentioned, among many others, like Uber, Facebook, Google, and Nike, use it for their office routine. 

According to analysts, the Milanote app, also designated by reviewers as "the Evernote for creatives," has gained the attention of cybercriminals, that further abuse it to conduct credential-stealing campaigns that glide past secure email gateways (SEGs). 

The report compiled and published on Thursday by Avanan indicates that the hackers look to hack the victims using a simple email. The mail sent has the line of the subject as, "Project Proposal Invoice". The email body is rather explicit, only saying, “Hello. See attached invoice for the above-referenced project. Please contact me if you have questions or need additional information. Thank you.” There have been no customization, branding, or other characteristics of social engineering in the mail. 

“The email itself is pretty standard issue,” Gil Friedrich, CEO, and co-founder of Avanan stated. “It gets attention with the subject of ‘Invoice for Project Proposal.’ It’s certainly not the most sophisticated effort in the world, however, it understands what emails can get past static scanners, including, in this case, Milanote.” 

If the attachment link in the email is opened by the destination, a single-line document opens ("I shared a file with you. Click on the "Download" link (see below) with a clickable "Open Docs" button. 

Lately, the volume of these slippery phishing attacks has increased "dramatically," according to Avanan researchers. In the communication network, 1,430 e-mails were analyzed that contained a link to Milanote, and 1367 were part of the phishing campaigns (a whopping 95.5%). 

“[Most] use static scanners to scan attachments or links for malicious payloads,” according to the writeup. “In response, hackers are bypassing those detection mechanisms by nesting the payloads in deeper layers within legitimate services, fooling the static scanners. This is part of a larger trend of hackers utilizing legitimate services to host malicious content. Because the scanner doesn’t go that deep, hackers can leverage these services to host their content and easily send it to users.” 

Friedrich told that the scammers have been increasingly employing this technique in a large number of services. Another part of the development is that malicious hackers have resorted to them with the advent of collaborative platforms to create new techniques for social engineers and escape defenses. 

“We’re talking to people on Zoom, sharing thoughts on Slack, using whiteboards on Jamboard and thousands of other services. Email is still incredibly important, of course, but there are other places where information is transmitted,” he added. 

Cybercriminals may bring dangerous links to where they have been, rather than just email. It enables hackers with simple access to many of these collaboration apps. Since they did not get the same phishing training at these sites, users may have their guard down. It's an easy approach for con men to realize many of their malicious goals. Users are advised to stay alert to the Milanote attack and other similar rocketing attacks, by following the best safety practices available. 

Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks

 

On Thursday, researchers at email and collaboration security firm Avanan revealed that attackers are using standard tools within Google Docs/Drive that delivers malicious links aimed at stealing victims’ credentials. 

In a blog post, Avanan said attackers are bypassing link scanners and are dodging common security protections that aim to verify the links sent via email. Jeremy Fuchs, marketing content manager at Avanan, said this is the first time they have seen hackers employing these types of attacks through a Google-hosted document service. Usually, attackers lure their victims to a legitimate website before exploiting a particular website. 

According to the report published by Trend Micro, phishing remains the top threat vector in today's cybercrime scene. Of the 62.6 billion cyber-threats analyzed by Trend Micro last year, over 91% were sent via email. Previously, attackers have used the attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink, according to Avanan. 

According to researchers, once the hacker publishes the lure, “Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.”

The hackers then use the phishing lure to get the victim to “Click here to download the document.” Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the “View Document” button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a “Log in” button.

 “Combining this tactic with social engineering could create a very convincing campaign where the attacker can swipe personal or corporate login credentials. Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Once the attacker has those login credentials and can log into the cloud platform, they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate,” said Hank Schless, senior manager, security solutions at Lookout.