Fake fonts used in phishing attacks, researchers warn

News by Rene Millman

Web fonts are being used as a substitution cypher in a novel attack to bypass security scanners, according to new research from Proofpoint.

Phishers have deployed a new technique that uses fake web fonts to evade detection by organisations and security firms.

According to a blog post by researchers at Proofpoint, this is the first time they have observed custom web font files used to install an encrypted font that is in effect a substitution cypher. They observed the encoding in a credential harvesting scheme impersonating a major retail bank.

The source code makes the suspect phishing page look harmless, but a user would instead see a fake landing page designed to steal login credentials.

According to Proofpoint, substitution functions in phishing kits are frequently implemented in JavaScript, but no such functions appeared in the page source. But in this case the source of the substitution was found in the CSS code of the landing page. The fonts, ‘WOFF’ and ‘WOFF2’, were used and hidden via Base64 encoding.

"As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters "abcdefghi..." with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page," said researchers.

In this case, "A" would be written as "M" and "Z" as "S". Security tools looking for keywords would only see a set of random letters.

To evade detection further, criminals rendered the bank logo using SVG (scalable vector graphics), so its image and source do not appear in the source code. Image links to real logos are usually detected by security products.

Researchers first spotted this kit being used in May last year, but they noted it could have appeared in the wild earlier. Most archive dates on resource files observed in samples of this kit are dated early June 2018. According to researchers, hackers used this custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank.

"While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers," said researchers.

Maor Hizkiev, CTO and Co-founder at BitDam, told SC Media UK that the use of strong-form impersonation also means that the phishing attack even worked on employees with a high level of cyber education.

"Stating that this is a ‘phishing kit’ implies that we will see a lot more of this kind of attack, and neither educated employees nor traditional security solutions will be able to detect them on a consistent basis," he said.

"Organisations should adopt an advanced and proactive threat solution for content-borne attacks, in addition to the standard secure email gateway, that can identify all threats coming through the inbox before any damage is done. Although it can be difficult to identify a strong-form phishing attacks like this one, users should be more sceptical and vigilant when opening emails from untrusted sources or responding to any request for their personal and/or financial information."

Javvad Malik, security advocate at AlienVault, told SC that phishing attacks have evolved to evade detection. "However, ultimately, they are targeted at an individual user, therefore, appropriate training and awareness is vital to remind users to remain vigilant to unsolicited or unexpected emails which ask for credentials, or payment, or other actions that are out of the ordinary," he said. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews