Threat actors try scamming users out of their assets, hiding malicious URLs in empty image files, and bypassing antivirus defenses.
Attackers discovered a way to bypass antivirus services like VirusTotal, implanting malware in “blank images” on emails, researchers at Avanan, a Check Point Software company, have discovered.
“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target,” Jeremy Fuchs, a cybersecurity researcher at Avanan, told Cybernews.
As with most phishing attacks, threat actors target victims via email. The campaign presents potential victims with a fraudulent document supposedly originating from DocuSign, an electronic agreements management service.
“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target.”Fuchs told Cybernews.
Targeted users are asked to review and sign the document. Interestingly, unlike other phishing campaigns, the link takes users to a legitimate DocuSign page.
That way, attackers trick the victim into trusting the overall email. However, the real danger lurks in the HTM attachment sent together with the DocuSign link.
In essence, the attackers coax users into trusting the fraudulent email, which leads some of the victims to trust the attachment. However, clicking the attachment leads to a malicious site where scammers start casting their nets.
Researchers note that the attack is particularly crafty since, by layering obfuscation upon obfuscation, most security services are helpless against this attack.
To avoid falling victim to such attacks, users are advised to be cautious of any email that contains HTML or .htm attachments. At the same time, security administrators might consider blocking all HTML attachments.
More from Cybernews:
Subscribe to our newsletter