HTML smuggling techniques have been around for quite some time. A previous Trustwave SpiderLabs’ blog discussed its use in distributing malware by storing binaries in immutable blob data within JavaScript code that gets decoded on the client-side browser, eventually delivering the payload.
Last month, Trustwave SpiderLabs researchers came across a phishing email (Figure 1) that mimics an American Express notification. The mail has a clickable link that serves as a redirector.
Figure 1: Phishing mail impersonating American Express.
As highlighted in Figure 1, the URL in the phishing email redirects to another simple redirector, which can be seen in Figure 2.
Figure 2: Second redirector.
The second redirector seen in Figure 2 finally leads to a Cloudflare R2 public bucket that hosts an HTML file (Figure 3) that loads an external JavaScript code necessary to generate the actual phishing page.
Figure 3: Final HTML code that loads external JavaScript files.
The loaded JavaScript code (Figure 4) from Figure 3 reveals the HTML smuggling technique — the actual HTML phishing page is encoded in a long Base64 string. Note that the string in Figure 4 is truncated to fit the screen.
Figure 4: JavaScript code that generates the encoded phishing page.
This JavaScript code seen in Figure 4 performs the following actions:
In summary, the script decodes a Base64-encoded HTML string, creates a blob from the decoded HTML content, generates a URL for that blob, and then loads the HTML content in the current browser window. This effectively displays the decoded HTML content as a webpage, as seen in Figure 5, as a Blob URI/URL denoted by the blob: prefix.
Figure 5: Generated blob HTML phishing page mimicking American Express.
Figure 6 shows a diagram that summarizes what the attack chain looks like.
Figure 6: A diagram depicting the attack chain.
A blob URL (or URI) is a temporary web address that gives developers flexibility when handling files and media within the browser. Blob URIs are a reference to binary data stored in a blob object. Blob URLs, while useful, can also be exploited by cybercriminals through a method called HTML smuggling. This technique involves creating malicious files including HTML pages directly within the web browser using JavaScript, rather than downloading them from a server. Here are the reasons cybercriminals use it:
In essence, HTML smuggling leverages the ability of blob URLs to create and handle files locally to evade security measures, making it a potent tool for attackers looking to distribute malicious content covertly.
Here are additional phishing pages using the same HTML smuggling technique:
Figure 7: A generated HTML phishing page mimicking DocuSign.
Figure 8: A generated HTML phishing page mimicking Microsoft.
The rise of HTML smuggling in phishing is slowly becoming a major concern in the cloud era. This method stumps email scanners, endpoint protection, and other security tools, which often have a hard time unpacking, decoding, and spotting these sneaky phishing attempts. Unlike obvious phishing threats that immediately set off alarms, HTML smuggling hides phishing content within seemingly harmless HTML files, making it much easier to slip through the cracks of many security systems. The method outlined here, that of using a blob URL to reference blob data hidden in JavaScript, is yet another example of HTML smuggling used to circumvent security controls.
Looking ahead, HTML smuggling in phishing attacks is likely to become even more of a problem. We can expect to see more convincing fake emails that look like they’re from well-known brands, clever tricks to hide the HTML code, and complex schemes that, while needing more user interaction, will still manage to be effective.
Related URLs