Proofpoint’s cyber security researchers have discovered cyber criminals using fake fonts in phishing web pages, allowing these pages to evade detection by unsuspecting victims, security vendors and affected organisations. This unique technique, observed for the first time, has been used in an online banking credential phishing scam which leveraged the stolen branding of a major US retail bank. The well-crafted phishing web pages use custom web font files (so-called ‘woff’ files) to implement a substitution cypher that makes the source code of phishing pages appear benign.
When the phishing landing page renders in the browser, users are presented with a typical online banking credential phish leveraging stolen bank branding. However, the source code of the page includes unexpectedly encoded display text (Figure 1).
Copying the clear text from the web page and pasting it into a text file still results in encoded text. The text can be decoded through a straightforward character substitution cipher, making detection of the phishing landing page simple for automated systems. However, the implementation of the substitution in this case merits closer examination.
After reviewing many copies of the phishing kit left behind by the threat actors, Proofpoint knows that the ../fonts/ directory doesn’t exist in the kit, making the base64-encoded woff and woff2 the only loaded fonts.
If an effort is them made to extract, convert and view the woff and woff2 web font files, a specific font specification is observed (Figure 3).
This phishing landing is using a custom web font file to make the browser render the cipher text as plain text. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page.
It’s also worth noting that the stolen bank branding is rendered via SVG (Scaleable Vector Graphics), so the logo and its source don’t appear in the source code. Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated.
Proofpoint first observed the use of this kit in May last year, but it’s certainly possible that the kit appeared ‘in the wild’ at an earlier juncture. Most archive dates on resource files observed by Proofpoint in samples of this kit are dated early June 2018.
Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims and security vendors and even from ‘savvy’ organisations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank. While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.
Proofpoint identified several e-mail addresses associated with the phishing kit, both within the PHP source code and hard-coded as recipients of stolen credentials. These addresses included the following: