Phishing operators have created a new obfuscation technique that uses Morse code to conceal malicious URLs within an email attachment. This is perhaps the first case of threat actors utilizing Morse code in such a way.
Threat Actors Using Morse Code in Phishing Attacks
The first instance was reported by Reddit users about a week ago, and malware researchers later discovered more sample uploaded to the VirusTotal engine.
The phishing scenario is a classical one, where the malicious email is masqueraded as an invoice for the targeted company. The recipient should beware that the attached document, pretending to an Excel invoice is in truth a malicious attempt. The attachments in this campaign are named in the following pattern: [company_name]_invoice_[number]._xlsx.hTML,’ BleepingComputer reported.
The attachment contains JavaScript mapping letters and numbers to Morse code for obfuscation purposes.
The end goal of the phishing attempt is to make the user reveal their login credentials. It should be noted that the attacks are highly targeted, and phishing operator is using the logo.clearbit.comservice to insert logos for the recipient’s companies. This way, the email becomes more trustworthy. At least eleven companies have been targeted so far, including names such as SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital, Equinti, and Capital Four.
Other Examples of Novel Phishing Techniques
In 2019, an Akamai report revealed that phishing operators started using Google Analytics to gather information. This was yet another example of phishers getting better at leveraging novel techniques. The abuse of Google Analytics could help phishing campaigns become highly targeted.
Another report from the same year revealed that nearly 1 in 4 malicious URLs were found on trusted domains. The researchers observed this behavior across 9 distinct domain content categories (of the top 1,000 most popular domains), including URL shorteners (bit.ly, TinyURL, tiny.cc, etc.), cloud storage (Dropbox, SharePoint, Google Drive, etc.),and digital media (Tumblr, Imgur, etc.). That year more than 1.5 million unique phishing URLs were discovered.
We will continue to follow the trends in phishing campaigns, as they continue to evolve steadily, targeting both organizations and individuals.