-
SVG Attack Vector
An obvious spam email blew past the filters:
Spam SVG Audio – email You can tell it’s spam, too. Right?
Those of you running Windows should have undone whatever setting removes file extensions from the usual views, because by default Windows won’t bother you with such trivia.
But, hey, maybe an SVG file can contain an audio recording. I mean, there’s an online file converter for that, so it must be a thing.
Spoiler: Audio-in-SVG really is a thing.
Having been around this block a couple of times, though, let’s peek inside the SVG file with a text editor:
Spam SVG Audio – attachment Huh. Not an audio recording, but a Javascript one-liner with a URL/URI/IRI/whatever aiming Your Default Browser at a presumably compromised server.
I didn’t go further, but surely the payload would wrestle Your Default Browser into a position allowing insertion of a remote compromise.
Well played, spammer!
Just another entry in the “Why friends don’t let friends run Windows” category, despite knowing whenever security and convenience come into conflict, convenience always wins.
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
The Smell of Molten Projects in the Morning 