Browser extension tool SingleFile leveraged to copy malicious login pages in a new phishing attack

  • The web extension is used as the obfuscation method to avoid detection.
  • This can enable attackers to steal users’ login credentials.

Cybercriminals have been found using the legitimate browser extension tool SingleFile as a part of their latest phishing campaign. The web extension is used as the obfuscation method to avoid detection.

What is SingleFile - SingleFiles is an extension available for Google Chrome and Mozilla Firefox. It allows users to save a webpage as a single HTML file. The extension streamlines the process of saving web pages, required files and all, on a single HTML document.

How is it exploited by attackers - According to Trend Micro researchers, the cybercriminals are using SingleFiles to copy the login pages of legitimate pages, which in turn can later to used to steal users’ credentials.

Citing the effectiveness of using SingleFile as an attack tool, researchers said, “unlike other obfuscation methods such as 'document.write(unescape(' which uses JavaScript, the generated phishing page hides the login form HTML code and the JavaScript used by the original login page from static detection tools.”

How to stay safe - Given the way the threat actors can exploit SingleFile for malicious purpose, it is very necessary to minimize the threat of this attack. This includes:

  • Avoid clicking on unusual URL that carries the company or brand’s name. Instead, visit the site of these brand directly by typing the address in the address bar.
  • Some threat actors create URLs that look similar to the URL of an official website. Therefore, users must cross-check whether the website they are visiting is legitimate or not.
  • Users should avoid clicking on any links or downloading files that are received via email unless they are absolutely sure about the sender.