Threat actors manipulate UTF-8 for phishing campaigns

August 15, 2022
Threat Actors UTF-8 Phishing Campaigns Middle East Cybersecurity Threat Advisory

Our researchers in iZOOlogic have recently spotted a new phishing campaign operated by threat actors that exploit the variable-width encoding UTF-8 to bypass email filters and push malicious payloads to their targeted victims’ email inboxes.

Based on our analysis of this phishing scheme, we have traced its tracks easily through raw email headers that indicate the existence of the attack, such as characters like “=utf-8?B?****=?=”. These base 64 characters are crafted to render the desired fake sender and subject for the phishing emails.

 

One of our clients has been targeted with the phishing actor’s UTF-8 manipulation technique.

 

From an attack incident against our Middle East-based client, the phishing actors sent them an email from a certain “[email protected].” As seen from this malicious email address, it used the UTF-8 manipulation technique to engineer the ‘From’ field of the email and impersonated Google to send a fake alert email message to the victim.

At first glance, the malicious email would look like a legitimate Google alert message that urges the recipient to update their user account using the link attached to the email’s body. If the victim clicks on the link, a phishing webpage will be opened requesting their passwords.

Our researchers also noted that the phishing website seemed dynamic and used the specific corporate ID of the target to make the process look legitimate. The harvested credentials from the phishing website’s form are then sent to the treat operators’ remote server.

We have also found that our client’s email security solution initially blocked the phishing link attached to the email’s body. However, with the help of the UTF-8 manipulation technique, they bypassed the email filters and pushed the phishing message to the client’s email inbox.

After our SOC team in iZOOlogic detected this incident on our client, we immediately acted and traced the phishing redirection domain and requested its urgent suspension.

The CERT-PH have also noticed this attack technique recently, prompting them to release a notice to spread awareness among the public. Furthermore, our team believes that the UTF-8 manipulation technique not only happens in the Philippines but is also widely utilised worldwide.

These days, email bypasses schemes are becoming more sophisticated as threat actors come up with many tactics to bypass active email security filters to push malicious payloads to corporate email inboxes.

This targeted attack on our client led us to conclude that the phishing actors are attempting to collect credentials, especially passwords, to gain an initial foothold on the client’s network and work from there to escalate their privileges and steal critical data.

Hence, we strongly advise users to be more cautious of all the messages they receive, whether through emails, calls, or text messages, since the cybercriminal world is an evergrowing landscape that aims to harm unaware targets.

About the author

Leave a Reply