Hackers Resorting to Morse Code to Avoid Being Caught
Table of Contents
- By Dawna M. Roberts
- Published: Sep 22, 2021
- Last Updated: Mar 18, 2022
Hackers are unendingly clever. They constantly devise new ways of infiltrating businesses while also evading detection. The latest discovered by Microsoft is a set of attacks that use Morse code hidden within phishing campaigns.
What is Going On?
According to The Hacker News, "Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials."
The clever scheme uses phishing emails related to business financial transactions, usually invoices. They include an HTML file ("XLS.HTML") that is used to steal user credentials and infiltrate systems for future attacks.
The Hacker News says that:
"Microsoft likened the attachment to a "jigsaw puzzle," noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation."
Microsoft's 365 Defender Threat Intelligence Team is impressed by this latest attempt at fraud. The team is in awe of the sophistication used by the unknown assailants. The company also noted that "These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments."
How the Attack Works
When a user receives the suspicious email and clicks on the HTML file, it displays a fake Microsoft Office 365 login window on top of a grayed-out Excel file. Users may continuously try to log in using their correct credentials, but the website will show a message saying either the document timed out or the password is incorrect. All the while, hackers are storing the entered credentials into a database for later use.
Threat researchers claim that the ruse has evolved over ten iterations since June 2020. With each iteration, code may change and the attack segments. For example, in February and May of 2021, Microsoft found these attacks using Morse code. The Hacker News commented that "later variants of the phishing kit were found to direct the victims to a legitimate Office 365 page instead of showing a fake error message once the passwords were entered."
Phishing Campaigns Still Number One
Email-based attacks remain the most prevalent form of infiltration into a business. The astounding part is how each new group comes up with unique new ways to evade detection and gain entry. "In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions."
The majority of data breaches were caused by employee error and phishing emails. Phishing works due to sophisticated social engineering tactics that employ the use of fear or panic to get users to click or download attachments without thinking.
A company's security is only as strong as its weakest link, which is usually an employee who receives a phishing email and doesn't know how to handle it. The solution is employee training on cybersecurity best practices for all staff levels.
Companies could avoid a lot of headaches, ransomware attacks, and exfiltration of data if they were to spend the time and money necessary to educate their entire workforce on the dangers of social engineering and phishing attempts.
What to Do to Stay Safe
The number one rule of thumb is never click a link in an unsolicited email. Do not download any attachments, and always verify the sender of the email before taking any action.
