{"id":25753,"date":"2025-02-05T11:20:58","date_gmt":"2025-02-05T19:20:58","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2025\/02\/05\/news-19476\/"},"modified":"2025-02-05T11:20:58","modified_gmt":"2025-02-05T19:20:58","slug":"news-19476","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2025\/02\/05\/news-19476\/","title":{"rendered":"Scalable Vector Graphics files pose a novel phishing threat"},"content":{"rendered":"

Credit to Author: Andrew Brandt| Date: Wed, 05 Feb 2025 17:01:03 +0000<\/strong><\/p>\n

\n

Criminals who conduct phishing attacks over email have ramped up their abuse of a new threat vector designed to bypass existing anti-spam and anti-phishing protection: The use of a graphics file format called SVG.<\/p>\n

The attacks, which begin with email messages that have .svg file attachments, started to spread late last year<\/a>, and have ramped up significantly since mid-January.<\/p>\n

The file format is designed as a method to draw resizable, vector-based images on a computer. By default, SVG files open in the default browser on Windows computers. But SVG files are not just composed of binary data, like the more familiar JPEG, PNG, or BMP file formats. SVG files contain text instructions in an XML format for drawing their pictures in a browser window.<\/p>\n

\"The<\/a>
The content of a legitimate SVG file source alongside a thumbnail<\/figcaption><\/figure>\n

But because SVG images can load and render natively inside a browser, they can also contain anchor tags, scripting, and other kinds of active web content. In this way, threat actors have been abusing the file format. The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere.<\/p>\n

\"A<\/a>
A malicious SVG links to a Google Docs file<\/figcaption><\/figure>\n

When a person unfamiliar with the format double-clicks the attachment in their email, their computer opens the SVG file in their browser. The browser renders both the vector graphics and the anchor tags in a new tab.<\/p>\n

\"A<\/a>
A simplistic malicious SVG hotlinks the recipient’s email and some text to a phishing page<\/figcaption><\/figure>\n

If the target clicks the link embedded in the SVG file, the browser will then open the link, which invariably leads to a social engineering trick designed to lure the target into a situation where they need to log in to an account.<\/p>\n

Social engineering tricks used in SVG phishing attacks<\/h3>\n

The subject lines and messages we\u2019ve seen use many tropes common to generic phishing attacks.<\/p>\n

One of the patterns being used asserts that the attachment is a legal document that requires a signature. The message subject may use one of the following lines, or something similar:<\/p>\n