ARS NB9M

New phishing attack uses Morse code to hide malicious URLs


In Other News 0 Comments

Posted By: Bradley Stone (UncleBrad) on 02/08/2021

 https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/

- February 8, 2021

A new targeted phishing campaign includes the novel obfuscation technique of using Morse code to hide malicious URLs in an email attachment.

Samuel Morse and Alfred Vail invented morse code as a way of transmitting messages across telegraph wire. When using Morse code, each letter and number is encoded as a series of dots (short sound) and dashes (long sound).

Starting last week, a threat actor began utilizing Morse code to hide malicious URLs in their phishing form to bypass secure mail gateways and mail filters.

BleepingComputer could not find any references to Morse code being used in phishing attacks in the past, making this a novel obfuscation technique

The novel Morse code phishing attack

After first learning of this attack from a post on Reddit, BleepingComputer was able to find numerous samples of the targeted attack uploaded to VirusTotal since February 2nd, 2021.

The phishing attack starts with an email pretending to be an invoice for the company with a mail subject like 'Revenue_payment_invoice February_Wednesday 02/03/2021.'

Phishing email

Phishing email

This email includes an HTML attachment named in such a way as to appear to be an Excel invoice for the company. These attachments are named in the format '[company_name]_invoice_[number]._xlsx.hTML.'

For example, if BleepingComputer was targeted, the attachment would be named 'bleepingcomputer_invoice_1308._xlsx.hTML.'

When viewing the attachment in a text editor, you can see that they include JavaScript that maps letters and numbers to Morse code. For example, the letter 'a' is mapped to '.-' and the letter 'b' is mapped to '-...', as shown below.

Source code HTML phishing attachment

Source code HTML phishing attachment

The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string. This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page.

Decoded JavaScript tags

Decoded JavaScript tags

These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again.

HTML attachment displaying the phishing login form

HTML attachment displaying the phishing login form

Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.

This campaign is highly targeted, with the threat actor using the logo.clearbit.comservice to insert logos for the recipient's companies into the login form to make it more convincing. If a logo is not available, it uses the generic Office 365 logo, as shown in the image above.

BleepingComputer has seen eleven companies targeted by this phishing attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti, and Capital Four.

Phishing scams are becoming more intricate every day as mail gateways become better at detecting malicious emails. 

Due to this, everyone must pay close attention to URLs and attachment names before submitting any information. If something looks at all suspicious, recipients should contact their network administrators to investigate further.

As this phishing email uses attachments with double-extension (xlxs and HTML), it is important to make sure that Windows file extensions are enabled to make it easier to spot suspicious attachments.


  

Favorite VHF Nets

East Central Indiana 6M Net
Category: Nets
VHF NetsNet NameDayTimeFREQ/ModeEast Central Indiana 6M NetSunday8 PM EST50.140 MHz /USB...  READ MORE
- Bradley Stone (UncleBrad),  01/20/2020 
   Below is a picture of my latest project.  After doing the transceiver thing, with a CE20A, mated to a SX-115, then the next transceiver project, a 10A mated to any Drake R4 series receiver, I had an idea.  Those transceiver projects have a lot of oscillators, and even the crystal oscillators can drift as they warm up, which requires re-zeroing the transmitter to the receiver from time to...  READ MORE
- Bradley Stone (UncleBrad),  10/27/2019 
  

Favorite HF Nets

Sell/Swap, Vintage Radios & More
Category: Nets
All times are in Eastern unless otherwise indicated.  Frequencies are in Megacycles. Recommended HF NetsNet NameDayTimeFREQ/ModeSwan Technical NetWednesday2200 UTC14.2925 +/-  /USB3938 Traders NetWednesday8 PM3.938 / LSBBoatanchor NetWednesday7:30 PM CST3.870 / LSBWA9ZTY Vintage AM GroupSaturday7:30 AM3.885 / AMMidwest Classic Radio NetSaturday8:30 AM3.885 / AMSwan Technical NetSatu...  READ MORE
- Bradley Stone (UncleBrad),  08/29/2019 
  

W1LSB Finds an EBay Treasure

This 1964 WRL catalog was addressed to Major General Butch Griswold – K0DWC
Category: Vintage Manufacturers
I was first licensed as a novice in 1958, and the WRL catalog was really dominant in those days, with the Globe King, Globe Champ,  and all of the lesser models gracing its pages.  I had a Globe Chief 90 and often dreamed of owning the bigger iron in those pages.   I have since collected most of the WRL catalogs from 1954 to 1964, and the last one turned out to be an interestin...  READ MORE
- Bradley Stone (UncleBrad),  04/30/2019 
  

Crazy EBay Prices!

Pictures of radio suckerbait on the world's largest online auction!
Category: Crazy EBay Prices!
Below are some screen shots of incredible prices demanded by some EBay vendors.  Since posting an auction is free as long as the item is not sold, it costs nothing for the unscrupulous vendor to display their (unremarkable/filthy/nicotine-caked) wares as if they were priceless artifacts of distinction, having immense value.  It is truly within this online marketplace where prod...  READ MORE
- Bradley Stone (UncleBrad),  03/22/2019 
   These excellent examples of the Swan Twins are from the estate of John Thuren, AA5T (SK) of Houston, Texas.  John had checked in to the 20M Swan net with these very desirable "big Swans" until a few years ago. A big thanks to Eddie, NU5K, who handled John's estate and placed these on EBay.  He packed them well, knowing they are indeed an important find. ...  READ MORE
- Bradley Stone (UncleBrad),  12/21/2018 
   W9RAN started playing with RTL-SDR dongles about 6 years ago, and knew they were going to have a big impact on the radio hobby.   But since these $15 receivers only tuned the VHF and UHF bands, he designed a wideband upconverter to make HF coverage possible, and described how it worked in an article in Jan. 2013 QST "Cheap and Easy SDR".   The "RANVerter" as...  READ MORE
- Robert Nickels (rnickels),  08/09/2018 
  

2018 Cave City Hamfest

Cave City, Kentucky, 3/3/2018
Category: Activities
Barry, AC9NK and I attendended the 2018 Cave City hamfest, which was awesome this year.  The facility was packed, with lots of vendors.  We enjoyed the company of my friend Tom, N4LID for dinner the night before. Tom, who is blind, had not been able to get to the hamfest for many years.  You will find more pictures at the Kentucky Phone Net site.  A big thanks to Rod, N4ZIF, fo...  READ MORE
- Bradley Stone (UncleBrad),  03/04/2018 
   For nearly five years, spanning 1978 - 1983,  I worked as an Electronics Technician in the original Bearcat manufacturing and service facility in Cumberland, Indiana.  Electra was one of the best places I've ever worked, and were among the many innovative consumer electronics companies which sprang up in and around Indianapolis.  Al Lovell, a former employee of Regency (also in ...  READ MORE
- Bradley Stone (UncleBrad),  02/22/2018 
   The tube-type Linear Master Oscillators (“LMO”) used in the Heathkit SB-Line equipment is a very stable and accurate means of controlling the frequency in the equipment. Unfortunately, as the units age, many LMOs develop a “warble” when tuning. This “warble” usually stops when the frequency control knob is not rotated. However, accurately “zero-beating&rdq...  READ MORE
- Bradley Stone (UncleBrad),  02/08/2018