March 15, 2021 By David Bisson 2 min read

A very old way to send messages has found new life. Threat actors used Morse code in a new URL phishing campaign detected early in February 2021, according to Bleeping Computer.

Invented by Samuel Morse and Alfred Vail in the 19th century, Morse code was the bedrock of modern communication. It transmits messages over the telegraph using dots and dashes. It’s now also a means by which phishers can conceal their malicious URLs in an email attachment to evade detection.

Take a look at how attackers are using this kind of URL phishing and how to prevent it.

JavaScript Mapped to Morse Code in Spear Phishing Attack

The URL phishing attack begins when a user receives an email pretending to be an invoice, Bleeping Computer found. Because this attack is sent as an email to a specific company, it falls under the umbrella of targeting phishing or spear phishing. The attack email uses a subject line, such as ‘Revenue_payment_invoice February_Wednesday 02/03/2021,’ to support this disguise. The goal is to convince the recipient that it was safe for them to open the attachment. Once they do, it activates in the web programming language HTML.

The attackers crafted the name of the attachment to look like a personalized Excel spreadsheet for the company. The attachment used the format ‘[company_name]_invoice_[number]._xlsx.hTML.’

The attached URL phishing file included JavaScipt code that mapped letters and numbers to Morse code’s dots and dashes. Once run, the JavaScript used a decodeMorse() function to translate the Morse code into a hexadecimal string. Next, that string gave way to JavaScript tags that the campaign injected into the HTML page.

Those tags created the image of a fake Excel-based invoice and a custom login form. It informed the recipient that they needed to sign into their Office 365 account in order to view the file. If they did, the login form then stole the recipient’s credentials. From there, it uploaded them to a remote site where the attackers could retrieve them.

At the time of its reporting, Bleeping Computer had found attack attempts on 11 companies. This is the first known instance of phishing using Morse code.

Other Evasion Techniques Used by Phishers

Using Morse code in URL phishing isn’t the only evasive phishing technique in the news recently. In January 2020, PhishLabs came across one tactic in which phishers used a malicious website to call the gyroscope and accelerometers that are commonly found in smartphones. The idea here is that the website could change its behavior and cater to mobile users if it confirmed the presence of device motion and orientation events.

Several months later, Microsoft found that the CHIMBORAZO threat group had begun using websites with CAPTCHAs to avoid automated analysis.

Finally, a phishing operation in November 2020 inverted images used for its landing pages’ backgrounds in order to remain hidden from anti-phishing tools.

How to Defend Against a Phish

These tactics highlight the need for organizations to defend themselves against URL phishing. They can do this by using ongoing security awareness training to educate their users about some of the most common types of URL phishing attacks that are in circulation today. Organizations should position this education as part of a layered email security strategy that also leverages threat intelligence and other technical controls to help flag suspicious emails before they land in employees’ inboxes.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today