Cofense Intelligence reveals a novel phishing technique using blob URIs to create local fake login pages, bypassing email security and stealing credentials.
Cybersecurity researchers at Cofense Intelligence have reported a new and increasingly effective method cybercriminals are using to deliver credential phishing pages directly to users’ email inboxes. This technique, which emerged in mid-2022, leverages “blob URIs” (binary large objects- Uniform Resource Identifiers).
For your information, Blob URIs are addresses that point to temporary data saved by your internet browser on your own computer. These have legitimate applications on the internet, such as how YouTube temporarily stores video data within a user’s browser for playback.
A key characteristic of blob URIs is their localized nature; that is, a blob URI created by one browser cannot be accessed by any other, even on the same device. This inherent privacy feature although beneficial for legitimate web functions, has been weaponized by threat actors for malicious purposes.
According to Cofense Intelligence’s analysis, shared with Hackread.com, since Blob URI data isn’t on the regular internet, security systems that check emails cannot easily see the harmful fake login pages.
Therefore, when you get a phishing email, the link doesn’t go straight to a fake website. Instead, it often sends you to a real website that the security programs trust, like Microsoft’s OneDrive. From there, you get sent to a hidden webpage controlled by the attacker.
This hidden page then uses a blob URI to create the fake login page right in your browser. Even though this page is only saved on your computer, it can still steal your username and password and send it to the hackers.
This presents a challenge for automated security systems, particularly Secure Email Gateways (SEGs), which analyze website content to identify phishing attempts, researchers noted. The novelty of phishing attacks using blob URIs means AI-powered security models may not yet be adequately trained to distinguish between legitimate and malicious uses.
This lack of pattern recognition, combined with the common attacker tactic of using multiple redirects, complicates automated detection and increases the likelihood of phishing emails bypassing security.
Cofense Intelligence has observed multiple phishing campaigns employing this blob URI technique, with lures designed to trick users into logging in to fake versions of familiar services like OneDrive. These lures include notifications of encrypted messages, prompts to access Intuit tax accounts, and alerts from financial institutions. Despite the varied initial pretexts, the general attack flow remains consistent.
Researchers warn that this type of phishing might become more common because it’s good at getting past security. So, it’s important to be careful about links in emails, even if they look like they go to real websites, and to always double-check before you type in your login information. Seeing “blob:http://” or “blob:https://” in the website address can be a sign of this new trick.
