Novel Phishing Scam Uses Custom Web Fonts to Evade Detection

A new phishing scam has been detected that uses a novel method to evade detection – The use of custom fonts to implement a substitution cipher that makes the source code of the phishing page appear as plaintext.

Many phishing web pages obfuscate their source code to make it harder for automated security solutions to uncover malicious actions and make the phishing pages appear harmless. As such, the phishing sites are not blocked and users may be fooled into supplying their credentials as requested. The phishing web pages used in this scam will display what appears to be a genuine website when the page is rendered in the browser. Users will be presented with a spoofed web page that closely resembles the standard login page of their bank. To the user, apart from the domain name, there is nothing to indicate that the site is not genuine. If credentials are entered, they will be harvested by the scammer and used to gain access to the users’ bank account.

In this case, a substitution cipher is used to obfuscate the source code. To security solutions, the text is encoded, which makes it difficult to determine what that code does. This tactic has been used in previous phishing campaigns, with the substitution cipher applied using JavaScript. While users may be fooled, automated security solutions can detect the JavaScript fairly easily and can block access to the web page.

The latest campaign uses custom fonts – termed woff files – which are present on the page and hidden through base64 encoding. These custom fonts are used to implement the cipher and make the source code appear as plaintext, while the actual source code is encrypted and remains hidden. The substitution is performed using CSS on the landing page, rather than JavaScript. This technique has not been seen before and is much harder to detect.

The substitution cipher results in the user being displayed the correct text when the page is rendered in the browser, although that text will not exist on the page. Solutions that search for certain keywords to identify whether a site is malicious will therefore not find those keywords and will not block access to the page. This technique substitutes individual letters such as abcd with alternate letters jehr for example using woff and woff2 fonts. While the page is rendered correctly for the user, when a program reads the source code it is presented with jumbled, gibberish letters.

As an additional measure to avoid detection, the logos that have been stolen from the targeted bank are also obfuscated. It is common for bank logos to be stolen and included on phishing pages to convince visitors they are on a genuine site, but the use of the logos can be detected. By rendering the graphics using scalable vector graphics (SVG) files, the logos and their source do not appear in the source code of the page and are hard to detect.

These new techniques show just how important it is to block phishing emails at source before they are delivered to end users’ inboxes and the need for comprehensive cybersecurity training to be provided to employees to help them identify potentially malicious emails. A web filtering solution is also important to prevent users from visiting phishing pages, either through general browsing, redirects via malvertising, or blocking users when they click embedded hyperlinks in phishing emails.

To find out more about cybersecurity solutions that can protect against phishing attacks, contact the TitanHQ team today.