Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

HTML Smuggling: How Blob URLs are Abused to Deliver Phishing Content

HTML smuggling techniques have been around for quite some time. A previous Trustwave SpiderLabs’ blog discussed its use in distributing malware by storing binaries in immutable blob data within JavaScript code that gets decoded on the client-side browser, eventually delivering the payload.

Phishing Delivered Through HTML Smuggling

Last month, Trustwave SpiderLabs researchers came across a phishing email (Figure 1) that mimics an American Express notification. The mail has a clickable link that serves as a redirector.

Figure 1. Phishing mail impersonating American Express.
Figure 1: Phishing mail impersonating American Express.

As highlighted in Figure 1, the URL in the phishing email redirects to another simple redirector, which can be seen in Figure 2.

Figure 2. Second redirector.
Figure 2: Second redirector.

The second redirector seen in Figure 2 finally leads to a Cloudflare R2 public bucket that hosts an HTML file (Figure 3) that loads an external JavaScript code necessary to generate the actual phishing page.

Figure 3. Final HTML code that loads external JavaScript files.
Figure 3: Final HTML code that loads external JavaScript files.

The loaded JavaScript code (Figure 4) from Figure 3 reveals the HTML smuggling technique — the actual HTML phishing page is encoded in a long Base64 string. Note that the string in Figure 4 is truncated to fit the screen.


Figure 4. JavaScript code that generates the encoded phishing page.
Figure 4: JavaScript code that generates the encoded phishing page.

This JavaScript code seen in Figure 4 performs the following actions:

  • Document Ready Function: The code inside $(document).ready(function() { ... }) runs once the page loads, initializing all the elements within its scope and makes it available for manipulation.
  • Encoded HTML String: The first variable encodedHtml contains a Base64 string that is the encoded version of the HTML phishing page.
  • Decoding the HTML String: The next variable decodedHtml is assigned with an atob() function that decodes the Base64-encoded string into plain text. In this case, the decoded content would be an HTML code.
  • Calling openFileURL: The function openFileURL is called with the arguments 'text/html' and the decoded HTML content. Within this function are several operations to create and open a downloadable or viewable file from the decoded data of the Document Ready Function:
    • Blob Creation: A blob object (myBlob) is created using the decoded HTML and the specified data type ('text/html'). A blob is a file-like object of immutable, raw data.
    • Creating a URL: The window.URL.createObjectURL() method generates a URL that references myBlob.
    • Navigation: window.location.href = url; changes the current page's URL to the blob URL, causing the browser to load the HTML content contained in the blob.
    • Revoking the URL: The setTimeout() function is used to revoke the blob URL after a short delay (100 milliseconds) to free up memory once the content has been loaded.

In summary, the script decodes a Base64-encoded HTML string, creates a blob from the decoded HTML content, generates a URL for that blob, and then loads the HTML content in the current browser window. This effectively displays the decoded HTML content as a webpage, as seen in Figure 5, as a Blob URI/URL denoted by the blob: prefix.

Figure 5. Generated blob HTML phishing page mimicking American Express.
Figure 5: Generated blob HTML phishing page mimicking American Express.

Figure 6 shows a diagram that summarizes what the attack chain looks like.

Figure 6. A diagram depicting the attack chain.
Figure 6: A diagram depicting the attack chain.

 

What is a Blob URL/URI?

A blob URL (or URI) is a temporary web address that gives developers flexibility when handling files and media within the browser. Blob URIs are a reference to binary data stored in a blob object. Blob URLs, while useful, can also be exploited by cybercriminals through a method called HTML smuggling. This technique involves creating malicious files including HTML pages directly within the web browser using JavaScript, rather than downloading them from a server. Here are the reasons cybercriminals use it:

  • Creation of Malicious Files: Cybercriminals can use JavaScript to generate files on the client side, which means the files are created and stored in the user's browser rather than on a remote server.
  • Bypassing Security Measures: Because these files are generated within the browser and not downloaded from a server, they can bypass traditional security filters that monitor incoming files from external sources. This makes it harder for conventional security tools to detect and block such files.
  • Distribution of Harmful Content: Once the malicious files are created, they can be used to deliver harmful payloads — such as malware or other malicious scripts — directly to the user. These payloads can be disguised as something harmless or legitimate, making them even more challenging for users and security systems to identify and block.
  • Stealthy Attacks: Since the files are created and handled locally within the browser, the attack is less visible and harder to trace. Attackers can embed these files into seemingly normal web pages or use them to exploit vulnerabilities in the browser itself.

In essence, HTML smuggling leverages the ability of blob URLs to create and handle files locally to evade security measures, making it a potent tool for attackers looking to distribute malicious content covertly.

 

Additional Samples

Here are additional phishing pages using the same HTML smuggling technique:

Figure 7. A generated HTML phishing page mimicking DocuSign.
Figure 7: A generated HTML phishing page mimicking DocuSign.

Figure 8. A generated HTML phishing page mimicking Microsoft
Figure 8: A generated HTML phishing page mimicking Microsoft.

 

Conclusion

The rise of HTML smuggling in phishing is slowly becoming a major concern in the cloud era. This method stumps email scanners, endpoint protection, and other security tools, which often have a hard time unpacking, decoding, and spotting these sneaky phishing attempts. Unlike obvious phishing threats that immediately set off alarms, HTML smuggling hides phishing content within seemingly harmless HTML files, making it much easier to slip through the cracks of many security systems. The method outlined here, that of using a blob URL to reference blob data hidden in JavaScript, is yet another example of HTML smuggling used to circumvent security controls.

Looking ahead, HTML smuggling in phishing attacks is likely to become even more of a problem. We can expect to see more convincing fake emails that look like they’re from well-known brands, clever tricks to hide the HTML code, and complex schemes that, while needing more user interaction, will still manage to be effective.

 

Related URLs

  • hxxps://www[.]imperauto[.]com[.]br/tmp/Y8Z57m
  • hxxps://csp[.]wsiz[.]pl/wp-admin/one[.]htm
  • hxxps://pub-bbe243ba90f4462ea7249d1206164f64[.]r2[.]dev/index[.]html
  • blob:hxxps://pub-bbe243ba90f4462ea7249d1206164f64[.]r2[.]dev/013a95bc-e14b-40b6-9524-762cfa05262b
  • hxxps://hyp[.]ekspar[.]com[.]tr/class/tmp/amex-fix2/res[.]php

About the Author

Mike Casayuran is a Threat Researcher at Trustwave with over 13 years of experience in email security. He is currently part of the SpiderLabs Email Team, where he is responsible for building machine-learning models to protect customers from URL-borne threats. Follow Mike on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo