Cybercriminals Use SVG Files for Hidden JavaScript Redirects
▼ Summary
– A new phishing campaign uses SVG files to deliver JavaScript-based redirect attacks, bypassing traditional file downloads or user interaction.
– The attack embeds obfuscated JavaScript in SVG files, which decrypts a payload and redirects users to malicious domains via browser functions.
– Attackers spoof legitimate brands in emails and exploit weak email authentication controls like missing DKIM or DMARC policies.
– The campaign avoids detection by using geofencing, short-lived domains, and running entirely in the browser without executable drops.
– Targets include B2B service providers, and mitigation involves blocking SVGs, enforcing DMARC, and educating users on risky attachments.
Cybersecurity experts have uncovered a sophisticated phishing operation that weaponizes SVG image files to execute stealthy JavaScript redirects. Unlike traditional attacks that rely on executable files, this method embeds malicious scripts directly within seemingly harmless image content, bypassing conventional security measures with alarming efficiency.
The attack begins when users open an SVG file in their browser. Hidden within the image’s markup, obfuscated JavaScript decrypts a payload using a static XOR key, then silently redirects victims to attacker-controlled domains. These malicious URLs often contain Base64-encoded tracking strings, allowing cybercriminals to monitor their targets.
Emails distributing these SVG files spoof legitimate brands, exploiting weak email authentication protocols. Many targeted organizations lacked DKIM records, DMARC enforcement, or properly configured SPF settings, making it easier for attackers to slip past defenses.
John Bambenek of Bambenek Consulting noted, “Attackers prey on the misconception that image files are harmless. By embedding scripts in SVGs, they bypass traditional security checks while exploiting user trust.”
Evasion Techniques and Infrastructure
Jason Soroko from Sectigo emphasized, “Security teams must treat every SVG as a potential threat. Strip script tags, enforce strict DMARC policies, and monitor browser behavior for unauthorized redirects.”
Targets and Mitigation Strategies
To defend against this threat, experts recommend:
- Enabling Safe Links and Safe Attachments in email security solutions
- Blocking SVG files at the email gateway
- Educating users on the risks of unexpected image attachments
- Implementing DMARC with strict alignment to prevent domain spoofing
While enterprises with dedicated security teams can adapt, smaller businesses and individual users remain vulnerable. Proactive measures and user awareness are critical to thwarting these evolving threats.
(Source: InfoSecurity)