Blank image attacks leverage DocuSign’s legitimacy.
N2K logoJan 19, 2023

Avanan researchers discuss a new attack utilizing blank SVG images containing malicious code in phishing emails.

Blank image attacks leverage DocuSign’s legitimacy.

Avanan, a Check Point Software company, released a blog this morning detailing a new attack in which hackers hide malicious content inside a blank image within an HTML attachment in phishing emails claiming to be from DocuSign.

About the blank image attack.

The campaign begins with an email appearing to originate from DocuSign, containing a link and an HTML attachment. The phishing email requests the review and signature of a document claiming to be “remittance advice.” If clicked, the “View Completed Document” button links to a clean, legitimate webpage, but the attachment, however, is not. If the document is opened, the blank image attack begins. The attachment includes an SVG image encoded with Base64 containing Javascript that redirects to the malicious link.

Techniques used, and caution advised.

Hiding the malware within the empty image attachment hides the true intent of the message, and contains a legitimate link, allowing for the email to bypass link analysis and security scanners. Researchers advise caution around emails containing HTML attachments, suggesting the blockage of HTML attachments entirely with the treatment of them akin to executables.

Expert comment on HTML attachment attacks.

Jeremy Fuchs, an Avanan Cybersecurity Researcher/Analyst, says that this is a new variation of existing attack methods:

“Hackers can target practically anyone with this technique. Like most attacks, the idea is to use it to get something from the end-user. Any user with access to credentials or money is a viable target. HTM attachments aren't new, nor are using Base64 trickery. What is new and unique is using an empty image with active content inside--a javascript image--which redirects to a malicious URL. It's essentially using a dangerous image, with active content inside that traditional services like VirusTotal don't detect.”

Added, 2:15 PM, January 20th, 2023.

Sameer Hajarnis, Chief Product Officer at OneSpan, commented on the global technological realities that enable this sort of attack:

"Today, the internet is built on insecure links. Because of this, the average individual must be vigilant before clicking on a link in an email, joining a Zoom meeting, or transferring money. Phishing techniques criminals are adopting have seen brands, like Amazon and DocuSign, also falling victim to advanced attacks, causing both financial and brand damage. These social engineering attacks often exploit the trust and familiarity we place with those we interact with daily. That is why the world needs security-infused workflows native to digital experiences that guarantee the integrity of people, data, transactions, and documentation. Organizations need to create a connected thread of trust between the business and the user throughout the entire digital customer journey. Until this happens, individuals should take precaution, double checking links before clicking too quickly and easily sign a form or enter their information."