Cyber Security News

Hackers Abuse HTML Smuggling Technique To Deliver Sophisticated Phishing Page

Phishing attackers employed an HTML smuggling technique to deliver a malicious payload, as the attack chain started with a phishing email mimicking an American Express notification, leading to a series of redirects. 

The final redirect pointed to a Cloudflare R2 public bucket hosting an HTML file, which loaded an external JavaScript code that contained a Base64-encoded string that, when decoded, revealed the actual phishing page, demonstrating the effectiveness of HTML smuggling in obfuscating malicious content.

Phishing mail impersonating American Express.

The JavaScript code first waits for the page to load before executing its functionality and then decodes a Base64-encoded HTML string into plain text, which is likely a malicious phishing page that is designed to trick users into revealing sensitive information. 

The code’s purpose is to create a hidden iframe within the web page and load the decoded phishing content into it, effectively disguising the malicious activity from the user.

The openFileURL function creates a downloadable or viewable file from decoded HTML content, which first constructs a blob object using the decoded data and the specified content type and then generates a URL referencing this blob. 

Finally, it redirects the browser to this URL, causing the content to be loaded and displayed. To prevent memory leaks, the function revokes the blob URL after a short delay.

the attack chain.

Blob URLs are temporary web addresses pointing to binary data stored in the browser. Cybercriminals exploit this feature to create malicious files locally, bypassing traditional security measures. 

These files can be used to deliver harmful payloads directly to users, making attacks harder to detect and trace.

By generating files on the client side, attackers can embed them into seemingly normal web pages or exploit browser vulnerabilities, posing a significant security risk.

The phishing pages demonstrate a sophisticated HTML smuggling technique where malicious code is concealed within seemingly legitimate HTML elements.

The pages mimic reputable services like DocuSign and Microsoft, aiming to deceive users into entering sensitive information. 

A generated HTML phishing page mimicking Microsoft.

By exploiting HTML’s flexibility, the attackers successfully disguise the malicious code within the HTML structure, making it difficult to detect by traditional security measures, which underscores the importance of vigilant security practices and the need for advanced threat detection mechanisms to combat evolving phishing attacks.

HTML smuggling is a growing concern in phishing attacks due to its ability to bypass traditional security measures, which involves hiding malicious content within seemingly harmless HTML files, often using obfuscation techniques like blob URLs to reference hidden data. 

According to Trustwave, as phishing attacks become more sophisticated, it is expected to see increased use of HTML smuggling, making it essential for organizations to adopt advanced security solutions capable of detecting and mitigating such threats.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

1 hour ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

1 hour ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

2 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago