Phishing Campaign Uses Custom Web Font to Avoid Detection

A new phishing threat has been revealed in which the hacker has created a custom web font on their phishing website which renders the malicious code on the website difficult to detect.

Phishing can be defined as the attempt to obtain sensitive information such as passwords or credit card details from a victim by pretending to be a reputable organisation via electronic communication channels. Often conducted through emails, the messages look surprisingly legitimate, and often direct the victim to a website which is a convincing copy of the genuine site. When the user inputs their credentials into the fake website, the cybercriminal can harvest them and then use them for nefarious purposes, often for financial gain. The effects of this type of identity fraud are often devastating to the victim.

As more people are becoming aware of the threat that phishing poses to the integrity of their sensitive information, hackers have become more crafty in the way they design their campaigns. A wide range of tools are available to them to make their phishing attempt look more legitimate, such as using Java code to mask the fake URL and make the legitimate one appear instead. This use of custom font is another one of the many ingenious techniques that are making phishing attacks harder and harder to combat.

In this particular scam, the has designed the website to look like one of a major U.S. bank. The website used in the scam is a good copy of the real website, using the correct logos and branded content to make the website appear legitimate. It invites the user to input their bank details, which the hacker can then harvest and use for malicious purposes or sell on the black market.

While on the surface the scam is just like many others, this scam is particularly ingenious in how the hacker sought to evade detection and make their phishing kit appear benign. Custom web fonts – woff files – are used to implement a substitution cipher that renders the ciphertext as plaintext while hiding the malicious code.

While the source code appears to be cleartext on the page, if it is copied and pasted into a text file, the source code appears to have been encrypted.

Custom web fonts have been used to replace one letter with another. While this technique is commonly employed via JavaScript, in this scam the substitution cypher is achieved using cascading Style Sheets (CSS) code and two woff custom fonts. Something that has not been seen before.

Security researchers at Proofpoint, a cybersecurity company, analysed the mechanism of the scam. “As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page,” explained Proofpoint.

Many banks of systems in place in which they can detect if their branding and logos are being used by unauthorised individuals. To circumnavigate this issue, hackers render the branding using scalable vector graphics (SVG). As such, the logo and its source do not appear in the source code.

According to Proofpoint, this phishing kit has been used since at least May 2018, but potentially for even longer. The technique may be novel, but it is simple enough to enable automated solutions to identify the phishing web page as malicious.