Security firm Proofpoint has identified a phishing kit that uses fake fonts when hijacking a major retail bank brand.
The scheme uses Web Open Font Format (WOFF) files to get around
encoding, the company says in a blog post.
In one instance, the cyber felons copy cleartext from the webpage and paste it into a text file. The encoded text “can be decoded through
a straightforward character substitution cipher, making detection of the phishing landing page simple for automated systems,” Proofpoint writes.
It adds: “Substitution
functions in phishing kits are frequently implemented in JavaScript, but no such functions appeared in the page source. Instead, we identified the source of the substitution in the CSS code for the
landing page.”
In another instance, the bad actors use ”a custom web font file to make the browser render the ciphertext as plaintext.”
Proofpoint explains that the
Web Open Font Format expects the font to be in a standard alphabetical order -- and that by “replacing the expected letters "abcdefghi..." with the letters to be substituted, the intended
text will be shown in the browser, but will not exist on the page.”
In addition, the stolen bank branding is “rendered via SVG (scalable vector graphics), so the logo and its
source do not appear in the source code. Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated.”
The firm concludes that bad
actors have “developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a
major US bank.”
It adds: “While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another
technique to hide their tracks and defraud consumers.”