New Phishing Tactic Avoids Detection Using Custom Fonts

Researchers at Proofpoint discovered cyber criminals using new phishing techniques to cover their tracks and avoid detection. This obscure phishing campaign uses custom fonts to hide the sources codes of phishing pages from detection. This technique was found being used by attackers on a major U.S based retail bank stealing customer credentials.

This malicious campaign was discovered in May 2018, but researchers say it is possible this technique was being used for a long time.

Most phishing methods use substitution ciphers to avoid detection, however, automated systems can reverse the ciphers to their original forms. However, this method uses custom web fonts when implementing substitution ciphers, which automated systems cannot pick up. Further, this method uses CSS code for the landing page, instead of the more frequently used JavaScript.

To avoid further detection, this technique uses scalable vector graphics (SVG) to create company logos. This way the logo and the source are not written in the source code avoiding detection by automated systems.

“Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated.”

To activate the campaign, users first need to open the link in the phishing email, which then takes the user to a landing page resembling the login page of a U.S bank. Researchers found that when opened the web browser masks the ciphertext as plaintext. The landing page includes encoded display text, which upon further analysis were using base64-encoded ‘woff’ and ‘woff2’ fonts.

“As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters  “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page”

It is crucial for users to be wary of risks when opening emails. Although emails may seem legit, many times they can be phishing campaigns. To avoid falling victim, users should never click on links they see in emails. Training employees is an important tactic on creating security awareness within a company; contact LIFARS for more information.