Evening all,
I'm in the middle of working night-shift in the SOC of my employer.
Whilst analysing a phishing ticket, I came across something I'd never seen before.
There was a file attached to the phishing email that appeared to have a .paid filename extension.
It seemed curious that it was associated with Firefox since I'd never seen that type of file.
Turns out, it appears to be using bidi characters in the filename so the .htm filename extension appears as mth in the middle of the filename like shown below.
Where the space is there appears to be bidi characters reversing the direction of the next part.
Users.name5703 diap.htm
Very sneaky, and I'm not sure how to see the bidi characters?
I'll attach the file (I stripped the contents so there's nothing but text inside now).
Previously it was a very convincing self-contained and heavily obfuscated phishing page emulating an SSO login prompt.
I've also renamed it to txt instead of htm to allow upload.
Has anyone else ever seen this?
<edit> I just had a play and managed to create a nice example of how this could be used to trick people who weren't paying attention.
Makes an exe file look like a text file.
Steve, if you want to bring this to the attention of SN listeners, I'd love a shout-out.
Craig Stewart from Scotland.
I'm in the middle of working night-shift in the SOC of my employer.
Whilst analysing a phishing ticket, I came across something I'd never seen before.
There was a file attached to the phishing email that appeared to have a .paid filename extension.
It seemed curious that it was associated with Firefox since I'd never seen that type of file.
Turns out, it appears to be using bidi characters in the filename so the .htm filename extension appears as mth in the middle of the filename like shown below.
Where the space is there appears to be bidi characters reversing the direction of the next part.
Users.name5703 diap.htm
Very sneaky, and I'm not sure how to see the bidi characters?
I'll attach the file (I stripped the contents so there's nothing but text inside now).
Previously it was a very convincing self-contained and heavily obfuscated phishing page emulating an SSO login prompt.
I've also renamed it to txt instead of htm to allow upload.
Has anyone else ever seen this?
<edit> I just had a play and managed to create a nice example of how this could be used to trick people who weren't paying attention.
Makes an exe file look like a text file.
Steve, if you want to bring this to the attention of SN listeners, I'd love a shout-out.
Craig Stewart from Scotland.
Attachments
Last edited: