Novel Phishing Scheme Uses Morse Code

Threat actors are masking malicious URLs behind Morse code in attachments. The new phishing scheme is both targeted and complex.

The tactics employed by threat actors are always changing. They are changing and evolving as law enforcement and security professionals catch up to what they are doing. It’s a constant cycle, a vicious circle of cat and mouse where no one wins. It’s not uncommon for hackers to put a new twist on an old trick, and this latest evolution is proof. Threat actors are now embedding Morse code into attachments as part of a phishing scheme to mask malicious URLs.

Yes, you read that right, Morse code. You know, the system of dots and dashes invented by Samuel Morse in the 1800s as a way to send messages over a telegraph wire. At the time, it was incredibly innovative and helped lay the foundation for electronic communication. Which is why threat actors are now using this technology. According to BleepingComputer, they were “able to find numerous samples of the targeted attack uploaded to VirusTotal since February 2nd, 2021.

The phishing attack starts with an email pretending to be an invoice for the company with a mail subject like ‘Revenue_payment_invoice February_Wednesday 02/03/2021.’

This email includes an HTML attachment named in such a way as to appear to be an Excel invoice for the company. These attachments are named in the format ‘[company_name]_invoice_[number]._xlsx.hTML.’”

If you look at the attachment in a text editor, you will see where JavaScript maps letters and numbers to Morse code. From there, it gets even more complicated. The script calls a decodeMorse() function, that hexadecimal string is decoded into JavaScript tags, those tags are then injected into the HTML page. The injected scripts and HTML attachment together have the resources needed to produce a fake Excel spreadsheet with an alert that your sign-in timed out. You are then prompted to enter your password again, at which time the credentials are stolen for later use.

The attack is a highly targeted, incredibly well done example of socially engineered phishing schemes. The threat actors go to great extents to make the email and attachment seem legitimate, which is why educating and training your employees on these types of emails is incredibly important. These types of attacks are increasingly common, increasingly intricate and increasingly complex. Employees must learn to recognize malicious attachments and URLs, but they cannot do that if they aren’t educated about the problem.

There also need to be policies and procedures around what to do if a malicious, or suspected malicious, email is detected. Employees should know where to forward the email, which phone number they should call, and have an outline of steps to take when an incident happens. You are never going to be 100% protected from cyberattacks, but the more prevention steps you can take, the better protected you’ll be and the more likely you are to catch something before it gets too far.

With this particular attack, it is important that Windows file extensions are enabled so that suspicious attachments are caught more quickly. If you don’t know how to do that, or don’t know what that means, we implore you to hire an expert. Just because it’s 2021 now doesn’t mean the increase in cyberattacks is going to stop. Now is not the time to let up. Protect your business.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY