We’ve written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing.

For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in XML (eXtensible Markup Language), they can contain HTML and JavaScript code, which cybercriminals can exploit for malicious purposes.

Another advantage for phishers is that, on a Windows computer, SVG files get opened by Microsoft Edge, regardless of what your default browser is. Since most people prefer to use a different browser, such as Chrome, Edge can often be overlooked when it comes to adding protection like ad-blockers and web filters.

The malicious SVG we’ve found uses a rather unusual method to send targets to a phishing site.

Inside RECElPT.SVG we found a script containing a lot of food/recipe-related names (“menuIngredients”, “bakingRound”, “saladBowl”, etc.), which are all simply creative disguises for obfuscating the code’s malicious intentions.

This is the part of the code where the phishers hid a redirect:

Upon close inspection, the illusion of an edible recipe quickly disappears. 141 cups of eggs, anyone?

But picking the code apart, we noticed that the decoder works like this:

1. Search for data-ingredients=”…” in the given text.
2. Split the string inside the attribute by commas to get a list. E.g., 219cups_flour, 205tbsp_eggs,…
3. For each element, extract the leading numeric value (e.g., 219 from 219cups_flour).
4. Subtract 100 from this value.
5. If the result is an ASCII printable character (ranging from 32–126), then convert it to the character with that number.
6. Join all characters together to form the final decoded string.

Using this method we arrived at window.location.replace("https://outuer.devconptytld[.]com.au/");

window.location.replace is a JavaScript method that replaces the current resource with the one at the provided URL. In other words, it redirects the target to that location if they open the SVG file.

When redirected, the user will see this prompt, which is basically intended to hide the real location of the server behind Cloudflare services, but also provides some sense of legitimacy for the visitor.

It doesn’t matter what the user does here, they will get forwarded again with the code passing the e parameter (the target’s email address) on to the next destination.

But this is where our adventure ended. For us, the next site was an empty one.

We couldn’t determine what conditions had to be met to get to the next stage of the phishing expedition. But it is highly likely it will display a fake login form (almost certainly Microsoft 365- or Outlook-themed), to capture the target’s username and password.

Microsoft flagged a similar campaign which was clearly obfuscated with AI assistance and appeared even more legitimate at first glance.

Some remarks we want to share about this campaign:

• We found several versions of the SVG file dating back to August 26, 2025.
• The attacks are very targeted with the target’s email address embedded in the SVG file.
• The phishing domain could be a typosquat for the legitimate devconptyltd.com.au, so it could mean the targets were doing business with Devcon Pty Ltd who owns that domain. This is a tactic we often see in Business Email Compromise (BEC) attacks.
• We found several subdomains of devconptytld[.]com.au associated with this campaign. The domain’s TLS certificate dates back to August 24, 2025 and is valid for 3 months.

How to stay safe from SVG phishing attacks

SVG files are an uncommon attachment to receive, so it’s good to keep in mind that:

• They are not always “just” image files.
• Several phishing and malware campaigns use SVG files, so they deserve the same treatment as any other attachment: don’t open until the trusted sender confirms sending you one.
• Always check the address of a website asking for credentials. Or use a password manager, they will not auto-fill your details on a fake website.
• Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
• Use an email security solution that can detect and quarantine suspicious attachments.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Department of Justice (DOJ) extradited and indicted 4 Ghanaian nationals for allegedly stealing more than $100 million, mainly through romance scams and business email compromises.

According to a report from Comparitech, nearly 59,000 Americans fell victim to romance scams in 2024, losing an estimated $697.3 million. Our own research from last year showed that 10% of romance scam victims lose more than $10,000. The overall true cost is believed to be vastly higher than official reports, as many cases go unreported due to victims’ shame and difficulty tracing scammers.

Many of the scammers work offshore from countries where the chances of them getting apprehended are slim. But US Attorney Jay Clayton stated:

“Offshore scammers should know that we, the FBI, and our law enforcement partners will work around the world to combat online fraud and bring perpetrators to justice.”

The four men are accused of being leaders of a criminal organization based in Ghana which committed romance scams and business email compromises against individuals and businesses located across the US.

Their victims were mostly older men and women tricked into believing they were engaging in a romantic relationship online. These “relationships” sometimes start as a harmless text or by a direct message on social media and dating apps. Soon the scammer will suggest to take the conversation to a more secure platform like WhatsApp or Telegram.

The scammers will take the time to get to know you and assess what the best approach is to deceive you. Most of the time they are after your money, but sometimes they are after information. These scammers may also use other people, who are often younger, as money mules.

The people entailed in romance scams are courted and lavished with attention, until it’s time to cash in. Then the scammer suddenly needs money for travel, an illness, or other made-up reasons. Some scammers also lure victims with a supposed, great investment opportunity that you can’t afford to miss—which will turn out great for them, not the victim.

The four Ghanaian men are facing multiple charges including wire fraud, money laundering, receiving stolen money and more. In total each is facing a maximum sentence of 75 years in prison if convicted on all the charges.

Stay safe from romance scammers

The scale of losses from romance scams often eclipses that of many other types of reported consumer fraud or internet crime, demonstrating the high financial risk entailed in these emotional exploitation schemes.

So, it’s important to understand how these scams operate and how you can stay safe. Some of these tips may seem basic, but in these cases, it’s easy for people to mistake their online relationship with the scammer for a real one. This isn’t the fault of scam victims—it is just a symptom of how effective these scam methods are.

• Don’t send money or disclose sensitive information to anyone you have never met in person.
• Take it slow and read back answers. Scammers usually have a playbook, but sometimes you can spot inconsistencies in their answers.
• Don’t do this alone. Allow someone in your life to share this with. Their perspective may keep your feet on the ground.
• Cut them off early. As soon as you expect you are dealing with a scammer, stop responding. Don’t fall for sob stories or even physical threats they’ll use to keep the connection alive.
• Check their profile picture in an online search. You may find other profiles with the same picture. This is a huge red flag.
• The move to a “safer platform” is another red flag. They are not doing this for privacy reasons, but to stay under the radar of the platform where they first contacted you.
• Consult with a financial advisor or investment professional who can provide an objective opinion if you’re offered an investment opportunity.
• If you encounter something suspicious, report it to the appropriate authorities—such as local law enforcement or the FBI via its Internet Crime Complaint Center. Your action could prevent others from falling victim.  
• Share examples (anonymized) to help others. One way to do this is to use Malwarebytes Scam Guard, which also helps you assess if a message is a scam or not.

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries.

A reader who works in the transportation industry sent a tip about a recent successful phishing campaign that tricked an executive at the company into entering their credentials at a fake Microsoft 365 login page. From there, the attackers quickly mined the executive’s inbox for past communications about invoices, copying and modifying some of those messages with new invoice demands that were sent to some of the company’s customers and partners.

Speaking on condition of anonymity, the reader said the resulting phishing emails to customers came from a newly registered domain name that was remarkably similar to their employer’s domain, and that at least one of their customers fell for the ruse and paid a phony invoice. They said the attackers had spun up a look-alike domain just a few hours after the executive’s inbox credentials were phished, and that the scam resulted in a customer suffering a six-figure financial loss.

The reader also shared that the email addresses in the registration records for the imposter domain — roomservice801@gmail.com — is tied to many such phishing domains. Indeed, a search on this email address at DomainTools.com finds it is associated with at least 240 domains registered in 2024 or 2025. Virtually all of them mimic legitimate domains for companies in the aerospace and transportation industries worldwide.

An Internet search for this email address reveals a humorous blog post from 2020 on the Russian forum hackware[.]ru, which found roomservice801@gmail.com was tied to a phishing attack that used the lure of phony invoices to trick the recipient into logging in at a fake Microsoft login page. We’ll come back to this research in a moment.

JUSTY JOHN

DomainTools shows that some of the early domains registered to roomservice801@gmail.com in 2016 include other useful information. For example, the WHOIS records for alhhomaidhicentre[.]biz reference the technical contact of “Justy John” and the email address justyjohn50@yahoo.com.

A search at DomainTools found justyjohn50@yahoo.com has been registering one-off phishing domains since at least 2012. At this point, I was convinced that some security company surely had already published an analysis of this particular threat group, but I didn’t yet have enough information to draw any solid conclusions.

DomainTools says the Justy John email address is tied to more than two dozen domains registered since 2012, but we can find hundreds more phishing domains and related email addresses simply by pivoting on details in the registration records for these Justy John domains. For example, the street address used by the Justy John domain axisupdate[.]net — 7902 Pelleaux Road in Knoxville, TN — also appears in the registration records for accountauthenticate[.]com, acctlogin[.]biz, and loginaccount[.]biz, all of which at one point included the email address rsmith60646@gmail.com.

That Rsmith Gmail address is connected to the 2012 phishing domain alibala[.]biz (one character off of the Chinese e-commerce giant alibaba.com, with a different top-level domain of .biz). A search in DomainTools on the phone number in those domain records — 1.7736491613 — reveals even more phishing domains as well as the Nigerian phone number “2348062918302” and the email address michsmith59@gmail.com.

DomainTools shows michsmith59@gmail.com appears in the registration records for the domain seltrock[.]com, which was used in the phishing attack documented in the 2020 Russian blog post mentioned earlier. At this point, we are just two steps away from identifying the threat actor group.

The same Nigerian phone number shows up in dozens of domain registrations that reference the email address sebastinekelly69@gmail.com, including 26i3[.]net, costamere[.]com, danagruop[.]us, and dividrilling[.]com. A Web search on any of those domains finds they were indexed in an “indicator of compromise” list on GitHub maintained by Palo Alto Networks‘ Unit 42 research team.

SILVERTERRIER

According to Unit 42, the domains are the handiwork of a vast cybercrime group based in Nigeria that it dubbed “SilverTerrier” back in 2014. In an October 2021 report, Palo Alto said SilverTerrier excels at so-called “business e-mail compromise” or BEC scams, which target legitimate business email accounts through social engineering or computer intrusion activities. BEC criminals use that access to initiate or redirect the transfer of business funds for personal gain.

Palo Alto says SilverTerrier encompasses hundreds of BEC fraudsters, some of whom have been arrested in various international law enforcement operations by Interpol. In 2022, Interpol and the Nigeria Police Force arrested 11 alleged SilverTerrier members, including a prominent SilverTerrier leader who’d been flaunting his wealth on social media for years. Unfortunately, the lure of easy money, endemic poverty and corruption, and low barriers to entry for cybercrime in Nigeria conspire to provide a constant stream of new recruits.

BEC scams were the 7th most reported crime tracked by the FBI’s Internet Crime Complaint Center (IC3) in 2024, generating more than 21,000 complaints. However, BEC scams were the second most costly form of cybercrime reported to the feds last year, with nearly $2.8 billion in claimed losses. In its 2025 Fraud and Control Survey Report, the Association for Financial Professionals found 63 percent of organizations experienced a BEC last year.

Poking at some of the email addresses that spool out from this research reveals a number of Facebook accounts for people residing in Nigeria or in the United Arab Emirates, many of whom do not appear to have tried to mask their real-life identities. Palo Alto’s Unit 42 researchers reached a similar conclusion, noting that although a small subset of these crooks went to great lengths to conceal their identities, it was usually simple to learn their identities on social media accounts and the major messaging services.

Palo Alto said BEC actors have become far more organized over time, and that while it remains easy to find actors working as a group, the practice of using one phone number, email address or alias to register malicious infrastructure in support of multiple actors has made it far more time consuming (but not impossible) for cybersecurity and law enforcement organizations to sort out which actors committed specific crimes.

“We continue to find that SilverTerrier actors, regardless of geographical location, are often connected through only a few degrees of separation on social media platforms,” the researchers wrote.

FINANCIAL FRAUD KILL CHAIN

Palo Alto has published a useful list of recommendations that organizations can adopt to minimize the incidence and impact of BEC attacks. Many of those tips are prophylactic, such as conducting regular employee security training and reviewing network security policies.

But one recommendation — getting familiar with a process known as the “financial fraud kill chain” or FFKC — bears specific mention because it offers the single best hope for BEC victims who are seeking to claw back payments made to fraudsters, and yet far too many victims don’t know it exists until it is too late.

As explained in this FBI primer, the International Financial Fraud Kill Chain is a partnership between federal law enforcement and financial entities whose purpose is to freeze fraudulent funds wired by victims. According to the FBI, viable victim complaints filed with ic3.gov promptly after a fraudulent transfer (generally less than 72 hours) will be automatically triaged by the Financial Crimes Enforcement Network (FinCEN).

The FBI noted in its IC3 annual report (PDF) that the FFKC had a 66 percent success rate in 2024. Viable ic3.gov complaints involve losses of at least $50,000, and include all records from the victim or victim bank, as well as a completed FFKC form (provided by FinCEN) containing victim information, recipient information, bank names, account numbers, location, SWIFT, and any additional information.