Can you believe it? A seemingly innocent image file can ultimately fool you into giving up your password? That’s precisely what happened during a phishing scheme discovered by VirusTotal found hidden inside SVG (Scalable Vector Graphics) files. These files look and behave the same way that a smaller logo or icon ordinarily does--they are normally innocuous. But the hackers had found a new way to trap people. How creepy, right?
Since SVG files use text-based structures, hackers can hide all sorts of scripts and still maintain the basic appearance of a normal image file.
• A fake SVG file is delivered (emails, downloads, or websites).
• The file runs hidden code on the device and redirects the user.
• A fake login page that looks real (like Google, Microsoft, or the user's bank) opens.
• The user enters information, and the hackers steal the information.
Quick, straightforward, and extremely dangerous.
• Do not click on unknown attachments even though they may look like pictures.
• Using updated antivirus software references VirusTotal and others.
• Always hover your mouse over a web link before you enter your login information (to see if it’s going to a phishing site).
• It’s wise to enable two-factor (MFA) so hackers can’t get in even if they have your password and other information.
So, the next time you have an image file come through in your inbox, perhaps you will think twice about whether to click on it first. Better to be safe than sorry!
What VirusTotal Found
VirusTotal, a Google owned tool that allows users to scan any file for nasty viruses, discovered malicious code hidden inside SVG pictures. Instead of showing only an image, they opened a fake website, or fake page on a website. These attacked image files scam all sorts of usernames, passwords, or banking information.Since SVG files use text-based structures, hackers can hide all sorts of scripts and still maintain the basic appearance of a normal image file.
Why This Is Such A Big Deal
SVG files are so common--every website has them, and every mobile app has them, nearly every email has them. Because offers are treated as safe file types (silly consumers), this will enable attackers to attack many unsuspecting losers since people see them as perfectly safe. Let's face it: do you ever fear an image file? Absolutely not! And this is why it works so well.How The Scam Works
Here’s how the attack occurs step by step:• A fake SVG file is delivered (emails, downloads, or websites).
• The file runs hidden code on the device and redirects the user.
• A fake login page that looks real (like Google, Microsoft, or the user's bank) opens.
• The user enters information, and the hackers steal the information.
Quick, straightforward, and extremely dangerous.
My Thoughts
SVG files for design are my preference because they are lightweight and clear. But now I know they can be potentially dangerous. Who would have thought? If hackers can perform attacks using image files, then we can’t trust anything, online.How to Safeguard Yourself
No need to be alarmed but surely to be wise:• Do not click on unknown attachments even though they may look like pictures.
• Using updated antivirus software references VirusTotal and others.
• Always hover your mouse over a web link before you enter your login information (to see if it’s going to a phishing site).
• It’s wise to enable two-factor (MFA) so hackers can’t get in even if they have your password and other information.
Conclusion
The finding from VirusTotal clearly shows that even image files, such as SVGs, may contain malicious phishing malware in them. Although hackers are getting smarter, so can we. Even with a little extra thought and caution; we can check before we click and overall be secure within ourselves.So, the next time you have an image file come through in your inbox, perhaps you will think twice about whether to click on it first. Better to be safe than sorry!
