Copper Talk » Open Forum » New Phishing Attack Uses Morse Code to Avoid Detection By Your Email Scanners « Previous Next »

Author Message
Top of pagePrevious messageNext messageBottom of page Link to this message

Milkman21218
Advanced Member
Username: Milkman21218

Post Number: 680
Registered: 1-2004
Posted on Tuesday, February 16, 2021 - 10:54 pm:   Edit Post Delete Post    Move Post (Moderator/Admin Only)
CyberheistNews Vol 11 #07 | Feb. 16th., 2021

[HEADS UP] New Phishing Attack Uses Morse Code to Avoid Detection By Your Email Scanners

Yes – you read that right: Cybercriminals have found a way to use 1830’s technology to trick 2020s security solutions into not identifying phishing attachments as malicious.

Like you, when I first read about this I shook my head and through "no way – how would that even work?!?"" But according to a post on reddit, the bad guys realized they could digitally encode their malicious java script in Morse Code, effectively bypassing any email scanners.

The phishing attack starts out like any other, using some basic social engineering around paying an invoice and hosting an attachment made to look like an invoice with the filename '[company_name]_invoice_[number]._xlsx.hTML.'

But upon further inspection of the attachment, it leverages JavaScript, containing a basic decoding function where each letter and number is assigned a Morse code value, and then calls to decode a massive amount of Morse code stored within the file.

The result is when the html attachment is scanned, its contents appear benign to a security solution. But when run, the script converts the Morse code into two additional JavaScript tags that are injected into the page and executed.

The result of all this is a pretty creative rendering of a fake Excel document and an Office 365 logon screen, stating the user’s session had timed out.

Creative? Yes. Unique? No – bad guys can derive even their own simple character replacement encoding (e.g., ‘A’ would be replaced with ‘D’, ‘B’ with ‘E’, etc.) and one can achieve the same result.

The real stopping point here is the bogus email theming and horrible attachment name. Users that get stepped through security awareness training are able to quickly see this for what it is and stop the attack before it goes any further than making it past your filters.

Blog post with example screen shot:
https://blog.knowbe4.com/new-phishing-attack-uses-morse-code-to-avoid-detection-by-email-scanners
Izzy
CEF#502
Top of pagePrevious messageNext messageBottom of page Link to this message

Bigtone131
New member
Username: Bigtone131

Post Number: 1
Registered: 2-2021


Posted on Monday, February 22, 2021 - 3:02 pm:   Edit Post Delete Post    Move Post (Moderator/Admin Only)
Now that's interesting, going to have read about it some more ... what will they think of next ...

Add Your Message Here
Post:
Username: Posting Information:
This is a private posting area. Only registered users and moderators may post messages here.
Password:
Options: Enable HTML code in message
Automatically activate URLs in message
Action: