Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks

May 21, 2025, 9:08 p.m.

Description

The Trustwave SpiderLabs Email Security team has identified a significant increase in SVG image-based attacks, where seemingly harmless graphics are used to conceal dangerous links. Cybercriminals are exploiting the ability of SVG files to embed JavaScript, which can execute automatically upon opening. This technique has led to a 1800% increase in SVG-based phishing attacks in early 2025 compared to the previous year. The attacks are primarily driven by Phishing-as-a-Service (PhaaS) platforms like Tycoon2FA. These SVG files are particularly dangerous because they can bypass traditional security measures and appear innocuous to users. The blog post analyzes various techniques used in these attacks and provides recommendations for protection, including blocking SVG attachments, implementing advanced email security, and enhancing user awareness.

External References

https://otx.alienvault.com/pulse/6826fc8122849da7bce203f9
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/
Tags
obfuscation
phishing
social engineering
phaas
javascript
cybersecurity
email security
svg
2025-05-16
ursnif
tycoon2fa

Date

  • Created: May 16, 2025, 8:51 a.m.
  • Published: May 16, 2025, 8:51 a.m.
  • Modified: May 21, 2025, 9:08 p.m.

Indicators

  • http://ut.sxbmjefh.ru/I6wx84s/
  • http://grado33closet.com/n/?c3Y9bzM2NV8xX25vbSZyYW5kPVl6WlpSVGs9JnVpZD1VU0VSMDQwMzIwMjVVNDEwMzA0MDM=
  • ut.sxbmjefh.ru
  • grado33closet.com
Download all indicators here!

Attack Patterns

  • Ursnif - S0386
  • PE_URSNIF