Cybercriminals engaged in phishing campaigns have adopted a new technique to help disguise nefarious webpages.
Cybersecurity researchers at global firm Proofpoint have highlighted a technique apparently used by cybercriminals that helps phishing pages evade detection by victims, organisations and even security companies.
The researchers found strange encoding in a credential-harvesting scheme, with the page purporting to be a major retail bank.
Hiding malicious pages
With this method, the phishing webpages use custom web font files (Web Open Font Format or WOFF files) to install a substitution cypher that makes the source code of phishing pages look harmless. When browsers render the phishing page, the average user sees the well-crafted fake landing page, which has been built to steal login credentials.
The source code of the page reveals encoded text that makes it difficult to figure out the nefarious purpose of the page, typically using JavaScript functions. In the case highlighted by Proofpoint, the page source did not have JavaScript functions to enable the use of the character substitution cypher; this was done instead from the CSS code for the landing page. Two fonts, ‘WOFF’ and ‘WOFF2’, were used and hidden via Base64 encoding.
Proofpoint said: “As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters ‘abcdefghi …’ with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page.”
The threat actor also used branding images in scalable vector graphics (SVG) format, which can be rendered through code. This cut out the requirement to load them from a location that stores image resources, which would usually help in detecting a scam such as this.
The method has been seen in a phishing kit dated in June of last year, but researchers spotted it a month earlier. Given how slick the evasion method used is, the framework could have been in use even earlier than summer 2018.
Constant stream of new phishing techniques
Threat intelligence lead at Proofpoint, Chris Dawson, said: “Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors and even from savvy organisations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank.
“While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”