Hacker holding Telegram

Phishing Alert: Morse code phishing campaign hides malicious URLs

A recent spear phishing campaign has been detected using quite an ingenious (if not very outdated) obfuscation technique. Morse code, which makes binary and textual data unreadable and/or hard to understand, is used to hide potentially threatening URLs in email attachments.

This particular phishing technique does not seem to have been documented in the past.

The phishing email fraudulently gives the impression that it is an invoice for the company to which it is sent, with email subjects such as ‘Revenue_payment_invoice February_Wednesday 02/03/2021.’

This particular email includes an attachment in HTML format, named in such a way to make the victim believe that the attachment is an invoice for the company which needs to be paid. For example, ‘PhishingTackle_invoice_201._xlsx.hTML.’

Once viewed in a text editor however, you can see that the attachment includes JavaScript which maps letters and numbers to Morse code. For instance, the letter “a” would be mapped to “.-“, as shown below.

The JavaScript then subsequently calls a decode Morse() function to decode a Morse code string into a hexadecimal string. These Hexadecimal numerals are widely used by systems designers and programmers because they provide a human-friendly representation of binary-coded values. This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page.

The injection of these scripts within the HTML attachment provide necessary means to present a fake Excel spreadsheet, stating their Sign-in has timed out and requests the victim to enter their password again.

Once the victim enters their password, the attackers are able to harvest their credentials and gain access to their Office 365 account.

As seen by this campaign, phishing attacks are being more and more sophisticated each day.

Does everybody in your organisation have the necessary skill needed to spot and mitigate one of these intricate scams? Find out in our Free Click-Prone® Test today.

Recent posts