To avoid getting flagged as malicious by crawlers designed to spot phishing sites, a unique Office 365 phishing campaign has been inverting images used as backgrounds for landing pages.
Such inverted backgrounds are commonly used in phishing campaigns that make an attempt to clone legitimate login pages to harvest victim’s credentials by tricking them into a fake login form.
According to researchers, this strategy has been used by several Office 365 credential phishing sites while being deployed as part of the same phishing kit created and sold by a single threat actor to multiple users.
Since image recognition software is evolving and becoming more accurate, this new technique aims to bypass its scanning engines inverting the colors of the image, causing the image hash to differ from the original. This technique can hinder the software’s ability to flag this image altogether.
Reverting the background with CSS
The only hindrance to this strategy is that it is easily noticed by its potential victims and would instantly become suspicious and, most probably, leave the site immediately.
To avoid such a situation, the phishing kit designed to use this novel tactic automatically reverts the backgrounds using Cascading Style Sheets (CSS) to make them appear like the original backgrounds of 365 login pages they are trying to imitate.
The potential victims that visit these pages will only see the original background instead of the inverted image backgrounds that the web crawlers will be served with.
The deployment of this tactic allows the phishing kit to display different versions of the same phishing landing page to victims and scanning engines, allowing the victims to be fooled and lured into the phishing scam.
According to researchers, this image inversion tactic was noticed within an actively used Office 365 credential phishing kit.
By reversing text in a phishing emails’ HTML code to fill the email gateways’ Bayesian statistical models, another Office 365 phishing campaign made use of CSS tricks to bypass Secure Email Gateways (SEGs) earlier this year.
To read more, please check eScan Blog