Cyber criminals “using fake fonts” to evade detection and steal banking details

Figure 1 Code snippet from phishing landing page with displayed text encoded despite decoded rendering

Figure 1: Code snippet from phishing landing page with displayed text encoded despite decoded rendering

Proofpoint’s cyber security researchers have discovered cyber criminals using fake fonts in phishing web pages, allowing these pages to evade detection by unsuspecting victims, security vendors and affected organisations. This unique technique, observed for the first time, has been used in an online banking credential phishing scam which leveraged the stolen branding of a major US retail bank. The well-crafted phishing web pages use custom web font files (so-called ‘woff’ files) to implement a substitution cypher that makes the source code of phishing pages appear benign.

When the phishing landing page renders in the browser, users are presented with a typical online banking credential phish leveraging stolen bank branding. However, the source code  of the page includes unexpectedly encoded display text (Figure 1).

Copying the clear text from the web page and pasting it into a text file still results in encoded text. The text can be decoded through a straightforward character substitution cipher, making detection of the phishing landing page simple for automated systems. However, the implementation of the substitution in this case merits closer examination.

Figure 2: CSS @font-face rule from the phishing landing page source code

Figure 2: CSS @font-face rule from the phishing landing page source code

Substitution functions in phishing kits are frequently implemented in JavaScript, but no such functions appeared in the page source. Instead, Proofpoint identified the source of the substitution in the CSS code for the landing page (Figure 2).

After reviewing many copies of the phishing kit left behind by the threat actors, Proofpoint knows that the ../fonts/ directory doesn’t exist in the kit, making the base64-encoded woff and woff2 the only loaded fonts.

If an effort is them made to extract, convert and view the woff and woff2 web font files, a specific font specification is observed (Figure 3).

This phishing landing is using a custom web font file to make the browser render the cipher text as plain text. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters  “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page.

Figure 3: 'Woff' font specification

Figure 3: ‘Woff’ font specification

It’s also worth noting that the stolen bank branding is rendered via SVG (Scaleable Vector Graphics), so the logo and its source don’t appear in the source code. Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated.

Proofpoint first observed the use of this kit in May last year, but it’s certainly possible that the kit appeared ‘in the wild’ at an earlier juncture. Most archive dates on resource files observed by Proofpoint in samples of this kit are dated early June 2018.

Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims and security vendors and even from ‘savvy’ organisations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank. While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.

Proofpoint identified several e-mail addresses associated with the phishing kit, both within the PHP source code and hard-coded as recipients of stolen credentials. These addresses included the following:

fatima133777@gmail[.]com

fitgirlp0rtia@gmail[.]com

hecklerkiller@yandex[.]com

netty6040@aol[.]com

nicholaklaus@yandex[.]com

oryodavied@gmail[.]com

realunix00@gmail[.]com

slidigeek@gmail[.]com

zerofautes@outlook[.]com

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts