It might sound like an old B-movie horror film, but the blob is very real and very scary nonetheless. With email increasingly coming under attack from threat actors, and stolen passwords often used to gain initial access to email accounts, anything that combines the two things is a security nightmare. Welcome to the very dark and dangerous world of email blob attacks that will compromise your passwords.
Meet The Blob — A Password-Stealing Email Threat You Must Not Ignore
Threat intelligence experts have been monitoring a new threat to email users, and specifically their passwords, for some time now. That threat comes by way, as is nearly always the case, of a legitimate internet technology. Using Blob URIs to distribute phishing pages that can steal user credentials by way of email inboxes is proving to be something of a hacker’s friend.
“Blob URIs are generated by a browser to display and work with temporary data that only that browser can access,” Jacob Malimban, a member of the Cofense Intelligence Team, said. By way of an example, you will find services such as YouTube storing videos temporarily within a browser using blob URIs. The advantage of a blob is that only the browser that generated it can access it. That’s the good news. The disadvantage of a blob is that only the browser that generated it can access it.
“Because the data is local to a client browser,” Malimban explained, “blob URIs cannot be directly accessed over the internet like usual websites.” Which means that the ultimate password-stealing phishing page is not accessible over the internet like other malicious sites, “because the blob URI used to visit it is generated locally.” Have you guessed why this is such a security nightmare yet, horror fans? Yep, it makes identifying and stopping such attacks harder than they should be, especially for those defenses using AI that have yet to learn “how to distinguish between legitimate and malicious blob URIs,” Malimban warned.
Identifying Email Blob Attacks, Protecting Your Passwords
Although it’s important to remember that these blobs can be used for legitimate purposes, if you get an email which includes a link to a site where the address bar has either “blob:http://” or “blob:https://” at the start, you should be on high alert for a potential phishing attack. According to Malimban, multiple campaigns are currently using the blob URI attack methodology. “Campaign lures for logging in include receiving an encrypted message, accessing your Intuit tax account,” Malimban said, “and reviewing an alert from a financial institution.” You have been warned, be on alert for the blob and protect your passwords.