The last trick of cybercrime for phishing is the use of web fonts to implement the encoding and evade detection
Cybercrime exploits new tricks to evade detection, especially in phishing. Last one is the use of web fonts to implement the encoding. It has beeen discovered by Proofpoint cyber security experts, who analyzed a phishing kit with peculiar encoding, utilized in a credential harvesting scheme impersonating a major retail bank. According to the company’s blog, while encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time. When the phishing landing page renders in the browser, users are presented with a typical online banking credential phish leveraging stolen bank branding. However, the source code of the page includes unexpectedly encoded display text. Moreover, copying the cleartext from the webpage and pasting it into a text file still results in encoded text. It can be decoded through a straightforward character substitution cipher.
The threat actors used a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank. At least since May 2018, but maybe earlier
According to Proofpoint, the threat actors (cybercrime and state-sponsored hackers) continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse. In this case, they developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank. While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers. The cyber security experts first observed the use of this kit in May 2018, but it is certainly possible that it appeared in the wild earlier. Most archive dates on resource files they have observed in samples of this kit are dated early June 2018.