Latest Phishing Technique Uses Fake Fonts to Evade Detection

New Phishing Template Targets Users of Major U.S. Bank

A phishing template used in recent attacks targeting the users of a major U.S. bank uses fake fonts to evade detection, Proofpoint security researchers warn.

This first-of-its kind phishing template uses fake web fonts to render well-crafted phishing pages and steal credentials. When rendered in a browser, the page uses stolen branding to impersonate the bank, which is typical to phishing pages.

What makes this kit stand out from the crowd, however, is the fact that the page’s source code includes unexpectedly encoded display text. According to Proofpoint, this is the first-time web fonts have been used to implement the encoding.

“Copying the cleartext from the webpage and pasting it into a text file still results in encoded text,” Proofpoint says. 

The text, however, can be decoded through a straightforward character substitution cipher, which actually simplifies the detection for automated systems. 

Phishing kits employing substitution functions frequently implement those in JavaScript, but the recent attack did not use such functions in the page source. Instead, the Cascading Style Sheets (CSS) code for the landing page included the source for the substitutions. 

This phishing kit doesn’t have a ../fonts/ directory, with base64-encoded woff and woff2 fonts being the only ones loaded. The attackers, however, are using modified versions of these web font files in their attack. 

“This phishing landing is utilizing a custom web font file to make the browser render the ciphertext as plaintext. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page,” the security researchers explain.

The page also renders the stolen bank branding via SVG (scalable vector graphics), meaning that the logo and its source do not appear in the source code either. 

“The web (html, CSS, http) is inherently dynamic, and whether web pages are delivered via a web site and displayed in a browser, or via an email and displayed in an email client, attackers can use this dynamism to circumvent security controls, which are inherently static,” Matthew Gardiner, Security Strategist at Mimecast, told SecurityWeek.

Proofpoint says they first noticed the kit being used in May 2018, but that it might have appeared in previous attacks as well. Most of the archive dates on resource files the researchers observed in samples of this kit are dated early June 2018.

“Threat actors continue to introduce new techniques to evade detection and hide their activities. […] While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers,” Proofpoint concludes. 

In an emailed comment to SecurityWeek, Patrick Ciavolella, Digital Security and Operations Director for The Media Trust, also underlined the fact that the phishing kits obfuscation technique demonstrates continuous innovation from malware authors.

“Kits become more sophisticated with new tactics to avoid detection, website and mobile app operators will need to ramp up their ability to identify them,” he says. 

“A good way to monitor code is by continuously scanning digital assets for any and all code. If such a kit is installed in their website, and despite any obfuscation technique, they will be able to ID the new, unauthorized code,” Ciavolella concluded.

Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits

Related: New Advanced Phishing Kit Targets eCommerce