Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Latest Phishing Technique Uses Fake Fonts to Evade Detection

New Phishing Template Targets Users of Major U.S. Bank

A phishing template used in recent attacks targeting the users of a major U.S. bank uses fake fonts to evade detection, Proofpoint security researchers warn.

New Phishing Template Targets Users of Major U.S. Bank

A phishing template used in recent attacks targeting the users of a major U.S. bank uses fake fonts to evade detection, Proofpoint security researchers warn.

This first-of-its kind phishing template uses fake web fonts to render well-crafted phishing pages and steal credentials. When rendered in a browser, the page uses stolen branding to impersonate the bank, which is typical to phishing pages.

What makes this kit stand out from the crowd, however, is the fact that the page’s source code includes unexpectedly encoded display text. According to Proofpoint, this is the first-time web fonts have been used to implement the encoding.

“Copying the cleartext from the webpage and pasting it into a text file still results in encoded text,” Proofpoint says

The text, however, can be decoded through a straightforward character substitution cipher, which actually simplifies the detection for automated systems. 

Phishing kits employing substitution functions frequently implement those in JavaScript, but the recent attack did not use such functions in the page source. Instead, the Cascading Style Sheets (CSS) code for the landing page included the source for the substitutions. 

This phishing kit doesn’t have a ../fonts/ directory, with base64-encoded woff and woff2 fonts being the only ones loaded. The attackers, however, are using modified versions of these web font files in their attack. 

Advertisement. Scroll to continue reading.

“This phishing landing is utilizing a custom web font file to make the browser render the ciphertext as plaintext. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page,” the security researchers explain.

The page also renders the stolen bank branding via SVG (scalable vector graphics), meaning that the logo and its source do not appear in the source code either. 

“The web (html, CSS, http) is inherently dynamic, and whether web pages are delivered via a web site and displayed in a browser, or via an email and displayed in an email client, attackers can use this dynamism to circumvent security controls, which are inherently static,” Matthew Gardiner, Security Strategist at Mimecast, told SecurityWeek.

Proofpoint says they first noticed the kit being used in May 2018, but that it might have appeared in previous attacks as well. Most of the archive dates on resource files the researchers observed in samples of this kit are dated early June 2018.

“Threat actors continue to introduce new techniques to evade detection and hide their activities. […] While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers,” Proofpoint concludes. 

In an emailed comment to SecurityWeekPatrick Ciavolella, Digital Security and Operations Director for The Media Trust, also underlined the fact that the phishing kits obfuscation technique demonstrates continuous innovation from malware authors.

“Kits become more sophisticated with new tactics to avoid detection, website and mobile app operators will need to ramp up their ability to identify them,” he says. 

“A good way to monitor code is by continuously scanning digital assets for any and all code. If such a kit is installed in their website, and despite any obfuscation technique, they will be able to ID the new, unauthorized code,” Ciavolella concluded.

Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits

Related: New Advanced Phishing Kit Targets eCommerce

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.