• by Ray Schultz , January 4, 2019

Security firm Proofpoint has identified a phishing kit that uses fake fonts when hijacking a major retail bank brand.

The scheme uses Web Open Font Format (WOFF) files to get around encoding, the company says in a blog post. 

In one instance, the cyber felons copy cleartext from the webpage and paste it into a text file. The encoded text “can be decoded through a straightforward character substitution cipher, making detection of the phishing landing page simple for automated systems,” Proofpoint writes. 

It adds: “Substitution functions in phishing kits are frequently implemented in JavaScript, but no such functions appeared in the page source. Instead, we identified the source of the substitution in the CSS code for the landing page.”

In another instance, the bad actors use ”a custom web font file to make the browser render the ciphertext as plaintext.”

Proofpoint explains that the Web Open Font Format expects the font to be in a standard alphabetical order -- and that by “replacing the expected letters  "abcdefghi..." with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page.” 

In addition, the stolen bank branding is “rendered via SVG (scalable vector graphics), so the logo and its source do not appear in the source code. Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated.”

The firm concludes that bad actors have “developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank.” 

It adds: “While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”