FOCUS MODE
EXTRACT IOC
Threat Research

Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

Trustwave-spiderlabs
Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks
This article discusses the alarming rise in SVG (Scalable Vector Graphics) image-based attacks, particularly in phishing campaigns, fueled by Phishing-as-a-Service (PhaaS) platforms. Cybercriminals exploit SVG files due to their potential to embed JavaScript, allowing malicious scripts to execute seamlessly, leading to significant data breaches. Organizations are advised to implement protective measures to mitigate these threats. Affected: Organizations, cybersecurity, email security, Phishing-as-a-Service platforms

Keypoints :

  • Trustwave SpiderLabs identifies a significant spike in SVG-based phishing attacks.
  • Cybercriminals use SVG files to conceal dangerous links within seemingly harmless images.
  • SVG files can contain JavaScript, enabling automatic execution of malicious scripts.
  • A staggering 1800% increase in SVG phishing campaigns observed in early 2025.
  • Attack-in-the-middle (AITM) Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA are key drivers of these attacks.
  • Comparison between SVG, PDF, DOC, and HTML file formats demonstrates SVG’s superior risk for phishing.
  • Users often have a false sense of security regarding SVG files, treating them as benign.
  • Mitigation strategies include blocking SVG attachments, verifying senders, and using advanced threat detection systems.
  • Indicators of compromise (IOCs) related to SVG phishing campaigns are provided.

MITRE Techniques :

  • Phishing (T1566): Cybercriminals utilize SVG files in emails to lure victims, leveraging disguised dangerous links.
  • Execution through web service (T1203): Malicious scripts embedded in SVG files execute automatically when opened in a web browser.
  • Spear Phishing (T1571): Targeted emails mimic legitimate alerts, employing SVG files to trick users into credential harvesting.

Indicator of Compromise :

  • [URL] hxxps[://]ut[.]sxbmjefh[.]ru/I6wx84s/
  • [URL] hxxps[://]docs[.]google[.]com/drawings/d/1e6oBFLaz3YRncI8qZ–Mg7yh8Uzw8XK0uW5l-z-khKc/preview?pli=1
  • [URL] hxxps[://]grado33closet[.]com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVl6WlpSVGs9JnVpZD1VU0VSMDQwMzIwMjVVNDEwMzA0MDM=#

Full Story: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/

Views: 58

Tags: SPAM, EMAIL, CLOUD, CREDENTIAL, EXPLOIT, PAYLOAD, PHISHING, BROWSER