Email security: Increased attacks with SVG
More and more phishing campaigns are using the little-known SVG vector graphics format. This can contain scripts that are then executed when the image is opened.
(Image: solarseven/Shutterstock.com)
Since the beginning of the year, more and more phishing emails have contained a file attachment with an SVG graphic, as almost all providers of email security solutions unanimously report. Now, the Austrian CERT.at is also warning of the danger this poses.
Scalable through vectors
Scalable Vector Graphics, or SVGs for short, consist of descriptive text in XML format that instructs the renderer – generally the browser – to draw objects at certain positions. This can then be varied in size as required without pixelating the font, for example.
<svg width="320" height="120" xmlns="http://www.w3.org/2000/svg">
<ellipse cx="160" cy="60" rx="150" ry="50" fill="#f0f0f0" stroke="red" stroke-width="2"/>
<text x="160" y="50" font-family="Arial" font-size="24" fill="blue" text-anchor="middle">
heise security
</text>
<text x="160" y="80" font-family="Arial" font-size="20" fill="black" text-anchor="middle">
ROCKS
</text>
</svg>
However, such vector graphics can also contain JavaScript code, which the browser executes when the file is opened. Phishers take advantage of this by directing recipients to fake login pages or installing malware. The aim is almost always to steal passwords or other access credentials. The SVGs often come in the form of invoices, alleged voice messages or documents to be signed.
Protection against SVGs
Many security solutions do not check SVG files sufficiently, meaning that malicious code can reach the victim's systems in this way, warns the advisory from the Austrian security experts. As a preventative protective measure, the simplest solution is to block the receipt of SVG graphics, for example on the mail gateway, as a precaution. However, this can certainly lead to problems if these attachments are needed. In this case, it may be an option to move at least those emails that contain scripts to quarantine. Otherwise, it is necessary to rely on users to correctly assess the danger posed by SVGs and can try to support this with appropriate instructions and training.
(ju)
