[CW] Phishing Attack Uses Morse Code

Chris R. NW6V chrisrut7 at gmail.com
Mon Feb 8 16:22:20 EST 2021 

Great story Dave - thanks for passing it on.

Back in the late 1980s, I worked as project manager for a computer security
firm whose clients were all government agencies. My boss was the author of
"The Orange Book," bible of computer security, and had run the USAF's
"penetration squads" that broke into systems, learning how to break-in an
effort to understand how to make them secure - which produced said "Orange
Book." Interesting job, "spooky" customers... Anyway: he told me the tale
of one major company (I forget the name - Rand?) who were so proud of their
mainframe they located it so people could see it, behind a glass wall, from
the company lunchroom. They first broke-in by finding a password taped to a
secretary's keyboard, then leveraged that access to eventually get an
admin's password, and thus full reign. Because they weren't there to
damage, they then announced their success to the company, which immediately
changed passwords, declared their success a fluke - a lucky guess - and
dared them to do it again. Which they proceeded to do the next day, and
every day thereafter for a week, until at last the company admitted defeat.

How did they do it? During that first break-in they wrote and installed a
tiny program that read the admin password every time it was used, and every
day at noon sent it in Morse code by blinking a light on the mainframe,
which was visible from the lunchroom.

73 Chris NW6V

On Mon, Feb 8, 2021 at 9:35 AM D.J.J. Ring, Jr. <n1ea at arrl.net> wrote:

> A bit off topic, but be aware this is a new scam designed to infect your
> computer.
>
>
> https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/
>
> New phishing attack uses Morse code to hide malicious URLs
> By Lawrence Abrams
> <https://www.bleepingcomputer.com/author/lawrence-abrams/>
>
>
>    - February 7, 2021
>    - 10:40 AM
>    - 0
>    <https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/?fbclid=IwAR3kQxduZJZw1LaRsDeqKC2c2mi4ULTYN12ZYtQMU3DCuSV17lRcmmD-Xpc#comment_form>
>
> [image: Morse Code]
>
> A new targeted phishing campaign includes the novel obfuscation technique
> of using Morse code to hide malicious URLs in an email attachment.
>
> Samuel Morse and Alfred Vail invented morse code as a way of transmitting
> messages across telegraph wire. When using Morse code, each letter and
> number is encoded as a series of dots (short sound) and dashes (long sound).
>
> Starting last week, a threat actor began utilizing Morse code to hide
> malicious URLs in their phishing form to bypass secure mail gateways and
> mail filters.
>
> BleepingComputer could not find any references to Morse code being used in
> phishing attacks in the past, making this a novel obfuscation technique
> The novel Morse code phishing attack
>
> After first learning of this attack from a post on Reddit
> <https://www.reddit.com/r/cybersecurity/comments/le2q3v/first_time_ive_seen_this_a_malware_attachement_in/>,
> BleepingComputer was able to find numerous samples of the targeted attack
> uploaded to VirusTotal since February 2nd, 2021.
>
> The phishing attack starts with an email pretending to be an invoice for
> the company with a mail subject like 'Revenue_payment_invoice
> February_Wednesday 02/03/2021.'
> [image: Phishing email]Phishing email
>
> This email includes an HTML attachment named in such a way as to appear to
> be an Excel invoice for the company. These attachments are named in the
> format '[company_name]_invoice_[number]._xlsx.hTML.'
>
> For example, if BleepingComputer was targeted, the attachment would be
> named 'bleepingcomputer_invoice_1308._xlsx.hTML.'
>
> When viewing the attachment in a text editor, you can see that they
> include JavaScript that maps letters and numbers to Morse code. For
> example, the letter 'a' is mapped to '.-' and the letter 'b' is mapped to
> '-...', as shown below.
> [image: Source code HTML phishing attachment]Source code HTML phishing
> attachment
>
> The script then calls a decodeMorse() function to decode a Morse code
> string into a hexadecimal string. This hexadecimal string is further
> decoded into JavaScript tags that are injected into the HTML page.
> [image: Decoded JavaScript tags]Decoded JavaScript tags
>
> These injected scripts combined with the HTML attachment contain the
> various resources necessary to render a fake Excel spreadsheet that states
> their sign-in timed out and prompts them to enter their password again.
> [image: HTML attachment displaying the phishing login form]HTML
> attachment displaying the phishing login form
>
> Once a user enters their password, the form will submit the password to a
> remote site where the attackers can collect the login credentials.
>
> This campaign is highly targeted, with the threat actor using
> the logo.clearbit.comservice to insert logos for the recipient's companies
> into the login form to make it more convincing. If a logo is not available,
> it uses the generic Office 365 logo, as shown in the image above.
>
> BleepingComputer has seen eleven companies targeted by this phishing
> attack, including SGS, Dimensional, Metrohm, SBI (Mauritius) Ltd, NUOVO
> IMAIE, Bridgestone, Cargeas, ODDO BHF Asset Management, Dea Capital,
> Equinti, and Capital Four.
>
> Phishing scams are becoming more intricate every day as mail gateways
> become better at detecting malicious emails.
>
> Due to this, everyone must pay close attention to URLs and attachment
> names before submitting any information. If something looks at all
> suspicious, recipients should contact their network administrators to
> investigate further.
>
> As this phishing email uses attachments with double-extension (xlxs and
> HTML), it is important to make sure that Windows file extensions are
> enabled
> <https://www.bleepingcomputer.com/news/microsoft/hiding-windows-file-extensions-is-a-security-risk-enable-now/> to
> make it easier to spot suspicious attachments.
> ______________________________________________________________
> CW mailing list
> Home: http://mailman.qth.net/mailman/listinfo/cw
> Help: http://mailman.qth.net/mmfaq.htm
> Post: mailto:CW at mailman.qth.net
> CW List ARCHIVES: http://mailman.qth.net/pipermail/cw/
> Unsubcribe send email to
> cw-unsubscribe at mailman.qth.net
> Subscribe send email to cw-subscribe at mailman.qth.net
> Support this email list: http://www.qsl.net/donate.html
>
> =30=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/cw/attachments/20210208/43ad6577/attachment-0001.html>

More information about the CW mailing list