This attack could give criminals control of your mobile or desktop browser
New attacks on phone users use malicious image files to redirect a user's browser without their knowledge.
A JavaScript-based redirect attack is serious because it can force your browser (mobile or desktop) to navigate to another website without your consent or even your knowledge. The concern is that your browser could be sent to malicious websites. This attack injects or manipulates JavaScript code on a legitimate webpage. Before you know it, the browser on your phone (or even your desktop computer) makes you the victim of a phishing scam, spyware, keyloggers (recording your keystrokes), and trojans.
The goal of this is to obtain the passwords you use, which would allow attackers to access your banking and financial apps. The JavaScript-based redirect attacks are being delivered via Scalable Vector Graphics (SVG) files. These are treated mostly as harmless image files but they can be embedded with script elements design to redirect mobile and desktop browsers to dangerous websites. The destinations of the redirects are determined by the attackers.
Example of credentials phishing with the name of the company used by the attackers edited. | Image credit-Ontinue
To increase the chances that the target will get involved with an email containing the SVG files (setting off the events leading to the theft of the user's personal information), spoofed email and impersonation are used to deliver the files. According to cybersecurioty solutions firm Ontinue, "Initial access is gained through a phishing campaign using spoofed or impersonated email senders. Attackers deliver the malicious SVG either as a direct file attachment or via a link to an externally hosted image that appears harmless."
According to Ontinue, the emails use weak or ineffectual email authentication domains. This allows the attackers to get potential victims to open the emails they send by pretending that they were sent by a trusted brands or an individual. The email includes "a call to action" which is an attempt to get the victim to open the image file or preview it on a mobile or desktop browser. Once the image is rendered, the SVG executes the embedded JavaScript silently. The JavaScript execution is achieved and the browser is then redirected without any user interaction.
"This technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling(HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioral or signature-based alerts. JavaScript execution is achieved without requiring file drops or macros, and evasion is further enhanced by distributing the payload via spoofed emails that may pass basic anti-spam filters.
This campaign stands out for its use of browser-native redirection without requiring user interaction or external downloads. It bridges the gap between traditional phishing and full malware delivery, making it stealthy and effective."
This campaign stands out for its use of browser-native redirection without requiring user interaction or external downloads. It bridges the gap between traditional phishing and full malware delivery, making it stealthy and effective."
-Ontinue
Watch out for emails that get downright pushy about having you view an image file immediately. If an email looks as though it was sent from a company you do business with, look for spelling errors or call the company using a phone number that you find online. You can't trust all business numbers you get from Google since some are crowd-sourced and are open to manipulation by bad actors.
Follow us on Google News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: