Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Latest Phishing Technique Uses Fake Fonts to Evade Detection

New Phishing Template Targets Users of Major U.S. Bank

A phishing template used in recent attacks targeting the users of a major U.S. bank uses fake fonts to evade detection, Proofpoint security researchers warn.

New Phishing Template Targets Users of Major U.S. Bank

A phishing template used in recent attacks targeting the users of a major U.S. bank uses fake fonts to evade detection, Proofpoint security researchers warn.

This first-of-its kind phishing template uses fake web fonts to render well-crafted phishing pages and steal credentials. When rendered in a browser, the page uses stolen branding to impersonate the bank, which is typical to phishing pages.

What makes this kit stand out from the crowd, however, is the fact that the page’s source code includes unexpectedly encoded display text. According to Proofpoint, this is the first-time web fonts have been used to implement the encoding.

“Copying the cleartext from the webpage and pasting it into a text file still results in encoded text,” Proofpoint says

The text, however, can be decoded through a straightforward character substitution cipher, which actually simplifies the detection for automated systems. 

Phishing kits employing substitution functions frequently implement those in JavaScript, but the recent attack did not use such functions in the page source. Instead, the Cascading Style Sheets (CSS) code for the landing page included the source for the substitutions. 

This phishing kit doesn’t have a ../fonts/ directory, with base64-encoded woff and woff2 fonts being the only ones loaded. The attackers, however, are using modified versions of these web font files in their attack. 

“This phishing landing is utilizing a custom web font file to make the browser render the ciphertext as plaintext. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page,” the security researchers explain.

The page also renders the stolen bank branding via SVG (scalable vector graphics), meaning that the logo and its source do not appear in the source code either. 

“The web (html, CSS, http) is inherently dynamic, and whether web pages are delivered via a web site and displayed in a browser, or via an email and displayed in an email client, attackers can use this dynamism to circumvent security controls, which are inherently static,” Matthew Gardiner, Security Strategist at Mimecast, told SecurityWeek.

Proofpoint says they first noticed the kit being used in May 2018, but that it might have appeared in previous attacks as well. Most of the archive dates on resource files the researchers observed in samples of this kit are dated early June 2018.

“Threat actors continue to introduce new techniques to evade detection and hide their activities. […] While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers,” Proofpoint concludes. 

In an emailed comment to SecurityWeekPatrick Ciavolella, Digital Security and Operations Director for The Media Trust, also underlined the fact that the phishing kits obfuscation technique demonstrates continuous innovation from malware authors.

“Kits become more sophisticated with new tactics to avoid detection, website and mobile app operators will need to ramp up their ability to identify them,” he says. 

“A good way to monitor code is by continuously scanning digital assets for any and all code. If such a kit is installed in their website, and despite any obfuscation technique, they will be able to ID the new, unauthorized code,” Ciavolella concluded.

Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits

Related: New Advanced Phishing Kit Targets eCommerce

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.