This attack could give criminals control of your mobile or desktop browser

Real Hacker Staff
This attack could give criminals control of your mobile or desktop browser

A JavaScript-based redirect attack is serious because it can force your browser (mobile or desktop) to navigate to another website without your consent or even your knowledge. The concern is that your browser could be sent to malicious websites. This attack injects or manipulates JavaScript code on a legitimate webpage. Before you know it, the browser on your phone (or even your desktop computer) makes you the victim of a phishing scam, spyware, keyloggers (recording your keystrokes), and trojans.

The goal of this is to obtain the passwords you use, which would allow attackers to access your banking and financial apps. The JavaScript-based redirect attacks are being delivered via  Scalable Vector Graphics (SVG) files. These are treated mostly as harmless image files but they can be embedded with script elements design to redirect mobile and desktop browsers to dangerous websites. The destinations of the redirects are determined by the attackers.

Example of credentials phishing with the name of the company used by the attackers edited. | Image credit-Ontinue

According to Ontinue, the emails use weak or ineffectual email authentication domains. This allows the attackers to get potential victims to open the emails they send by pretending that they were sent by a trusted brands or an individual. The email includes “a call to action” which is an attempt to get the victim to open the image file or preview it on a mobile or desktop browser. Once the image is rendered, the SVG executes the embedded JavaScript silently. The JavaScript execution is achieved and the browser is then redirected without any user interaction.

“This technique demonstrates how adversaries are shifting away from executable payloads and towards smuggling(HTML and now SVG) techniques. By embedding script logic into image formats and using trusted browser functions, the attack chain avoids triggering traditional behavioral or signature-based alerts. JavaScript execution is achieved without requiring file drops or macros, and evasion is further enhanced by distributing the payload via spoofed emails that may pass basic anti-spam filters.

This campaign stands out for its use of browser-native redirection without requiring user interaction or external downloads. It bridges the gap between traditional phishing and full malware delivery, making it stealthy and effective.”

                                                                                                                       -Ontinue

Watch out for emails that get downright pushy about having you view an image file immediately. If an email looks as though it was sent from a company you do business with, look for spelling errors or call the company using a phone number that you find online. You can’t trust all business numbers you get from Google since some are crowd-sourced and are open to manipulation by bad actors.

Get a Motorola Razr 2025 for just $199.99!

Switch to a 2-month Total 5G or 5G+ plan with Total Wireless and score this foldable deal.

We may earn a commission if you make a purchase


Check Out The Offer

Read the latest from Alan Friedman


Source link
Exit mobile version