Light Dark
March 15, 2021 By David Bisson 2 min read
News

A very old way to send messages has found new life. Threat actors used Morse code in a new URL phishing campaign detected early in February 2021, according to Bleeping Computer.

Invented by Samuel Morse and Alfred Vail in the 19th century, Morse code was the bedrock of modern communication. It transmits messages over the telegraph using dots and dashes. It’s now also a means by which phishers can conceal their malicious URLs in an email attachment to evade detection.

Take a look at how attackers are using this kind of URL phishing and how to prevent it.

JavaScript Mapped to Morse Code in Spear Phishing Attack

The URL phishing attack begins when a user receives an email pretending to be an invoice, Bleeping Computer found. Because this attack is sent as an email to a specific company, it falls under the umbrella of targeting phishing or spear phishing. The attack email uses a subject line, such as ‘Revenue_payment_invoice February_Wednesday 02/03/2021,’ to support this disguise. The goal is to convince the recipient that it was safe for them to open the attachment. Once they do, it activates in the web programming language HTML.

The attackers crafted the name of the attachment to look like a personalized Excel spreadsheet for the company. The attachment used the format ‘[company_name]_invoice_[number]._xlsx.hTML.’

The attached URL phishing file included JavaScipt code that mapped letters and numbers to Morse code’s dots and dashes. Once run, the JavaScript used a decodeMorse() function to translate the Morse code into a hexadecimal string. Next, that string gave way to JavaScript tags that the campaign injected into the HTML page.

Those tags created the image of a fake Excel-based invoice and a custom login form. It informed the recipient that they needed to sign into their Office 365 account in order to view the file. If they did, the login form then stole the recipient’s credentials. From there, it uploaded them to a remote site where the attackers could retrieve them.

At the time of its reporting, Bleeping Computer had found attack attempts on 11 companies. This is the first known instance of phishing using Morse code.

Other Evasion Techniques Used by Phishers

Using Morse code in URL phishing isn’t the only evasive phishing technique in the news recently. In January 2020, PhishLabs came across one tactic in which phishers used a malicious website to call the gyroscope and accelerometers that are commonly found in smartphones. The idea here is that the website could change its behavior and cater to mobile users if it confirmed the presence of device motion and orientation events.

Several months later, Microsoft found that the CHIMBORAZO threat group had begun using websites with CAPTCHAs to avoid automated analysis.

Finally, a phishing operation in November 2020 inverted images used for its landing pages’ backgrounds in order to remain hidden from anti-phishing tools.

How to Defend Against a Phish

These tactics highlight the need for organizations to defend themselves against URL phishing. They can do this by using ongoing security awareness training to educate their users about some of the most common types of URL phishing attacks that are in circulation today. Organizations should position this education as part of a layered email security strategy that also leverages threat intelligence and other technical controls to help flag suspicious emails before they land in employees’ inboxes.

 |  | 
David Bisson
Contributing Editor

More from News
December 19, 2023

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

August 16, 2023

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature