Hackers are turning to obfuscation tactics relying on glossy advertising photos from Delta Airlines and retailer Kohl’s, tricking users into visiting credential harvesting sites and giving up personal information.
A recent campaign analyzed by Avanan showed how threat actors hide malicious links behind convincing photos offering gift cards and loyalty programs from such trusted brands. More broadly, the campaign is part of a larger trend of cybercrooks updating old tactics with new tooling — such as AI — that makes phishes more convincing.
Avanan researchers, who dubbed the obfuscation technique “picture in picture,” noted that the cybercriminals behind the attacks are simply linking the marketing photos to malicious URLs. This is not to be confused with steganography, which encodes malicious payloads at the pixel level within an image.
Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, notes that steganography is often super complex, and “this is a much simpler way of doing things that might still have the same impact and is easier for the hackers to replicate at scale.”
Corporate URL Filters Stymied by Picture Obfuscation
While straightforward, the picture-in-picture approach makes it more difficult for URL filters to pick up the threat, Avanan researchers noted.
“[The email will] look clean [to filters] if they aren’t scanning within the image,” according to the analysis. “Often, hackers will happily link a file, image, or QR code to something malicious. You can see the true intention by using OCR to convert the images to text or parsing QR codes and decoding them. But many security services don’t or can’t do this.”
Fuchs explains that the other key benefit of the approach is to make the maliciousness less apparent to targets.
“By tying in social engineering to obfuscation, you can potentially present end-users with something very tempting to click on and act on,” he says, adding the caveat that if users hover over the image, the URL link is clearly not related to the spoofed brand. “This attack is fairly sophisticated, although the hacker probably loses points by not using a more original URL,” he said.
While the phish casts a wide consumer net, businesses should be aware given that airline loyalty program communications often go to corporate inboxes; and, in the age of remote work, many employees are using personal devices for business, or accessing personal services (like Gmail) on business-issued laptops.
“In terms of impact, [the campaign] was aimed at a large number of customers, in multiple regions,” Fuchs adds. “While it’s hard to know who the perpetrator is, things like this can be often easily downloaded as ready-to-go kits.”
Using Gen AI to Update Old Tactics
Fuchs says that the campaign fits in with one of the emerging trends seen in the phishing landscape: spoofs that are nearly indistinguishable from legitimate versions. Going forward, the use of generative AI (like ChatGPT) to aid obfuscation tactics when it comes to image-based phishing attacks will only make these harder to spot, he adds.
“It’s super easy with generative AI,” he says. “They can use it to quickly develop realistic images of familiar brands or services and do so at scale and without any design or coding knowledge.”
For instance, using only ChatGPT prompts, a Forcepoint researcher recently convinced the AI into building undetectable steganography malware, despite its directive to refuse malicious requests.
Phil Neray, vice president of cyber defense strategy at CardinalOps, says the AI trend is a growing one.
“What’s new is the level of sophistication that can now be applied to make these emails appear to be almost identical to emails you would receive from a legitimate brand,” he says. “Like the use of AI-generated deepfakes, AI now makes it much easier to create emails with the same textual content, tone, and imagery as a legitimate email.”
In general, phishers are doubling down on what Fuchs calls “obfuscation within legitimacy.”
“What I mean by that is hiding bad things in what looks like good things,” he explains. “While we’ve seen plenty of examples of spoofing legitimate services like PayPal, this uses the more tried-and-true version, which includes fake, but convincing looking, images.”
Leveraging URL Protection to Protect From Data Loss
The potential implications of the attack for businesses are monetary loss and data loss, and to defend themselves, organizations should first look to educate users about these types of attacks, stressing the importance of hovering over URLs and looking at the full link before clicking.
“Beyond that, we think it’s important to leverage URL protection that uses phishing techniques like this one as an indicator of an attack, as well as implementing security that looks at all components of a URL and emulates the page behind it,” Fuchs notes.
Not everyone agrees that existing email security isn’t up to the task of catching such phishes. Mike Parkin, senior technical engineer at Vulcan Cyber, notes that many email filters would catch these campaigns and either mark it as spam at worst, or flag it as malicious.
He notes spammers have been using images in lieu of text for years in the hopes of bypassing spam filters, and spam filters have evolved to deal with them.
“While the attack has been fairly common of late, at least if the spam in my own junk mail folder is any indication, it’s not an especially sophisticated attack,” he adds.
AI-enabled attacks might be a different story though. CardinalOps’ Neray says the best way to fight those more advanced image-based attacks is to use large amounts of data to train AI-based algorithms how to recognize fake emails — by analyzing the content of the emails themselves as well as by aggregating information about how all other users have interacted with the emails.