Eric Stylemans’ Post

Phishing attackers used an HTML smuggling technique to deliver malware. The attack began with a phishing email that looked like an American Express notification, leading to several redirects. The last redirect went to a public Cloudflare R2 bucket hosting an HTML file. This file loaded external JavaScript code with a Base64-encoded string that, when decoded, revealed the actual phishing page. This shows how HTML smuggling can hide malicious content effectively. The JavaScript code waits for the page to load before decoding a Base64-encoded HTML string into plain text, likely a phishing page designed to trick users into revealing sensitive information. The code creates a hidden iframe to load the decoded phishing content, hiding the malicious activity from the user. The openFileURL function creates a downloadable file from the decoded HTML content by making a blob object with the data and content type, then generates a URL for this blob. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/g9AzdsPR #phishing #attackers #html #smuggling #malware #attack #americanexpress #cloudflare #javascript #malicious #url #cyberattack #cybersecurity #fhn #firsthackersnews #informationsecurity #latestupdates

"By delivering the malicious payload as seemingly harmless “HTML and JavaScript” the attackers evade certain security measures.This complete mechanism enables them to reveal the true phishing page upon client-side execution. The entire process illustrates a “multi-stage” attack chain that is specifically designed to evade detection and deliver a convincing phishing experience to potential victims." The tools you've been relying on to stop phishing attacks are no longer working. Training, though essential, is no longer enough. It's time to arm your employees, and your security team, with the tools they need to STOP phishing in its tracks. It's time for PhishCloud Inc. PhishCloud gives your security team the real-time visibility and control they need to see and block #phishing attacks your employees see. And with real-time metrics, you no longer need to rely on simulations and reporting to understand your phishing risk. PhishCloud arms employees with the tools they need to clearly spot and avoid #phishingattacks, across all digital platforms – not just email – letting them Click With Confidence. And PhishCloud delivers reality-based training that imparts real knowledge, not just awareness. Sound too good to be true? Give us 15 minutes to show you the power of PhishCloud Inc. www.phishcloud.com https://lnkd.in/e3PjCDue

"By delivering the malicious payload as seemingly harmless “HTML and JavaScript” the attackers evade certain security measures.This complete mechanism enables them to reveal the true phishing page upon client-side execution. The entire process illustrates a “multi-stage” attack chain that is specifically designed to evade detection and deliver a convincing phishing experience to potential victims." The tools you've been relying on to stop phishing attacks are no longer working. Training, though essential, is no longer enough. It's time to arm your employees, and your security team, with the tools they need to STOP phishing in its tracks. It's time for PhishCloud Inc. PhishCloud gives your security team the real-time visibility and control they need to see and block #phishing attacks your employees see. And with real-time metrics, you no longer need to rely on simulations and reporting to understand your phishing risk. PhishCloud arms employees with the tools they need to clearly spot and avoid #phishingattacks, across all digital platforms – not just email – letting them Click With Confidence. And PhishCloud delivers reality-based training that imparts real knowledge, not just awareness. Sound too good to be true? Give us 15 minutes to show you the power of PhishCloud Inc. www.phishcloud.com https://lnkd.in/e3PjCDue

"By delivering the malicious payload as seemingly harmless “HTML and JavaScript” the attackers evade certain security measures.This complete mechanism enables them to reveal the true phishing page upon client-side execution. The entire process illustrates a “multi-stage” attack chain that is specifically designed to evade detection and deliver a convincing phishing experience to potential victims." The tools you've been relying on to stop phishing attacks are no longer working. Training, though essential, is no longer enough. It's time to arm your employees, and your security team, with the tools they need to STOP phishing in its tracks. It's time for PhishCloud Inc. PhishCloud gives your security team the real-time visibility and control they need to see and block #phishing attacks your employees see. And with real-time metrics, you no longer need to rely on simulations and reporting to understand your phishing risk. PhishCloud arms employees with the tools they need to clearly spot and avoid #phishingattacks, across all digital platforms – not just email – letting them Click With Confidence. And PhishCloud delivers reality-based training that imparts real knowledge, not just awareness. Sound too good to be true? Give us 15 minutes to show you the power of PhishCloud Inc. www.phishcloud.com https://lnkd.in/e7W_TyMV

Phishing attackers used an HTML smuggling technique to deliver malware. The attack began with a phishing email that looked like an American Express notification, leading to several redirects. The last redirect went to a public Cloudflare R2 bucket hosting an HTML file. This file loaded external JavaScript code with a Base64-encoded string that, when decoded, revealed the actual phishing page. This shows how HTML smuggling can hide malicious content effectively. The JavaScript code waits for the page to load before decoding a Base64-encoded HTML string into plain text, likely a phishing page designed to trick users into revealing sensitive information. The code creates a hidden iframe to load the decoded phishing content, hiding the malicious activity from the user. The openFileURL function creates a downloadable file from the decoded HTML content by making a blob object with the data and content type, then generates a URL for this blob. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/gjRMMyEE #phishing #attackers #html #smuggling #malware #attack #americanexpress #cloudflare #javascript #malicious #url #cyberattack #cybersecurity #fhn #firsthackersnews #informationsecurity #latestupdates

Phishing attackers used an HTML smuggling technique to deliver malware. The attack began with a phishing email that looked like an American Express notification, leading to several redirects. The last redirect went to a public Cloudflare R2 bucket hosting an HTML file. This file loaded external JavaScript code with a Base64-encoded string that, when decoded, revealed the actual phishing page. This shows how HTML smuggling can hide malicious content effectively. The JavaScript code waits for the page to load before decoding a Base64-encoded HTML string into plain text, likely a phishing page designed to trick users into revealing sensitive information. The code creates a hidden iframe to load the decoded phishing content, hiding the malicious activity from the user. The openFileURL function creates a downloadable file from the decoded HTML content by making a blob object with the data and content type, then generates a URL for this blob. ~First Hackers News To Continue reading this article, click on this link >>> https://lnkd.in/gcpm8uJA #phishing #attackers #html #smuggling #malware #attack #americanexpress #cloudflare #javascript #malicious #url #cyberattack #cybersecurity #fhn #firsthackersnews #informationsecurity #latestupdates

Stay one step ahead of cyber threats by understanding bad actors' latest tactics. Check out this SpiderLabs blog post on how HTML smuggling and Blob URLs are being leveraged for phishing attacks. Advanced evasion tactics call for advanced mitigation:

Hackers Abuse HTML Smuggling Technique To Deliver Sophisticated Phishing Page: HTML smuggling is a sophisticated technique used by threat actors to deliver malware by embedding malicious JavaScript within seemingly harmless HTML files. This method exploits HTML5 and JavaScript features, allowing attackers to construct payloads directly on the victim’s machine when the HTML file is opened. Trustwave SpiderLabs researchers recently identified that hackers have been actively […] The post Hackers Abuse HTML Smuggling Technique To Deliver Sophisticated Phishing Page appeared first on Cyber Security News. #CyberSecurity #InfoSec

🔐 Beware of Punycode Attacks: A Hidden Threat to Your Cybersecurity 🛡️ In our interconnected digital world, cybercriminals are constantly looking for new ways to exploit vulnerabilities and trick users. One such method that’s both clever and dangerous is the Punycode Attack—a technique that disguises malicious URLs to look like legitimate ones, making it easier for attackers to trick users into visiting harmful sites. 🔎 What is a Punycode Attack? Punycode is a way of representing Unicode characters using ASCII, allowing internationalized domain names (IDNs) that include non-English characters (e.g., Chinese, Cyrillic, or Arabic) to be displayed in the URL bar. While Punycode enables users to type web addresses in their native languages, it also opens the door for homograph attacks—a type of phishing attack where characters from different alphabets are used to imitate familiar URLs. For example, an attacker could create a domain that visually resembles a trusted site, like “apple.com”, by replacing the English “a” with the Cyrillic “а.” Although the two characters appear identical, they are technically different, allowing attackers to create deceptive URLs that lead to phishing websites. When these URLs are converted to ASCII via Punycode, they appear as random strings, such as xn--80ak6aa92e.com, concealing the true nature of the website. 🚨 How Punycode Attacks Work Domain Registration: Attackers register domains using characters from different alphabets that look similar to English characters. For example, the Latin “o” could be replaced with a Greek “ο” to form a lookalike domain. URL Conversion: The Punycode system converts these international characters into ASCII, hiding the visual cues that might alert users to the scam. Phishing and Malware: Attackers use these domains to host phishing sites or distribute malware. Users think they’re visiting a trusted website, but instead, they’re interacting with a malicious page designed to steal credentials, download malware, or gather sensitive data. 🛡️ Protecting Yourself from Punycode Attacks Examine URLs Carefully: Look out for unusual characters in URLs. If you see a Punycode string (e.g., xn--), take a closer look before clicking or entering any information. Update Browsers and Security Settings: Many modern browsers, like Chrome and Firefox, have measures in place to detect Punycode domains. Ensure your browser is up to date and enable any built-in anti-phishing features. Use Multi-Factor Authentication (MFA): Even if your credentials are compromised, MFA adds an additional layer of security that makes it harder for attackers to access your accounts. Educate Your Team: Train employees to recognize and report suspicious URLs, emphasizing the risks of Punycode and homograph attacks. #CyberSecurity #PunycodeAttack #Phishing #HomographAttack #DigitalSafety #InformationSecurity #StayVigilant

Stay one step ahead of cyber threats by understanding bad actors' latest tactics. Check out this SpiderLabs blog post on how HTML smuggling and Blob URLs are being leveraged for phishing attacks. Advanced evasion tactics call for advanced mitigation: