URL Phishing Campaign Hides Attack Behind Morse Code

March 15, 2021 @ 10:30 AM
| |
2 min read

A very old way to send messages has found new life. Threat actors used Morse code in a new URL phishing campaign detected early in February 2021, according to Bleeping Computer.

Invented by Samuel Morse and Alfred Vail in the 19th century, Morse code was the bedrock of modern communication. It transmits messages over the telegraph using dots and dashes. It’s now also a means by which phishers can conceal their malicious URLs in an email attachment to evade detection.

Take a look at how attackers are using this kind of URL phishing and how to prevent it.

JavaScript Mapped to Morse Code in Spear Phishing Attack

The URL phishing attack begins when a user receives an email pretending to be an invoice, Bleeping Computer found. Because this attack is sent as an email to a specific company, it falls under the umbrella of targeting phishing or spear phishing. The attack email uses a subject line, such as ‘Revenue_payment_invoice February_Wednesday 02/03/2021,’ to support this disguise. The goal is to convince the recipient that it was safe for them to open the attachment. Once they do, it activates in the web programming language HTML.

The attackers crafted the name of the attachment to look like a personalized Excel spreadsheet for the company. The attachment used the format ‘[company_name]_invoice_[number]._xlsx.hTML.’

The attached URL phishing file included JavaScipt code that mapped letters and numbers to Morse code’s dots and dashes. Once run, the JavaScript used a decodeMorse() function to translate the Morse code into a hexadecimal string. Next, that string gave way to JavaScript tags that the campaign injected into the HTML page.

Those tags created the image of a fake Excel-based invoice and a custom login form. It informed the recipient that they needed to sign into their Office 365 account in order to view the file. If they did, the login form then stole the recipient’s credentials. From there, it uploaded them to a remote site where the attackers could retrieve them.

At the time of its reporting, Bleeping Computer had found attack attempts on 11 companies. This is the first known instance of phishing using Morse code.

Other Evasion Techniques Used by Phishers

Using Morse code in URL phishing isn’t the only evasive phishing technique in the news recently. In January 2020, PhishLabs came across one tactic in which phishers used a malicious website to call the gyroscope and accelerometers that are commonly found in smartphones. The idea here is that the website could change its behavior and cater to mobile users if it confirmed the presence of device motion and orientation events.

Several months later, Microsoft found that the CHIMBORAZO threat group had begun using websites with CAPTCHAs to avoid automated analysis.

Finally, a phishing operation in November 2020 inverted images used for its landing pages’ backgrounds in order to remain hidden from anti-phishing tools.

How to Defend Against a Phish

These tactics highlight the need for organizations to defend themselves against URL phishing. They can do this by using ongoing security awareness training to educate their users about some of the most common types of URL phishing attacks that are in circulation today. Organizations should position this education as part of a layered email security strategy that also leverages threat intelligence and other technical controls to help flag suspicious emails before they land in employees’ inboxes.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more