Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

A new phishing campaign that uses a custom font to hide its tracks and evade detection has been uncovered.

Security house Proofpoint reports this week that miscreants hoping to steal login credentials from customers of "a major retail bank" were able to hide their phishing emails from automatic detection tools by seemingly scrambling their messages into gibberish. Once rendered in an email client, the messages appear as coherent text, thanks to a custom font unscrambling the letters.

Proofpoint said the phishing campaign has been in operation since at least May 2018, and is still active.

Here's how it works: the page loads a custom font that would, for example, draw the "A" as "E", "B" as "H", and so on. This creates a primitive substitution cipher fooling security tools looking for certain keywords, as the software would only observe a set of random letters, but the user would see readable text. Of course, this requires victims' email clients to be configured to download and render custom fonts.


Detailed: How Russian government's Fancy Bear UEFI rootkit sneaks onto Windows PCs


"In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank," Proofpoint said in its analysis.

"While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers."

That a phishing page would use a cipher to disguise its actual displayed text is not uncommon, says Proofpoint. Normally, however, that operation is performed through JavaScript. Most browser security tools now know to look for decryption or deobfuscating scripts in a message's source code, forcing the hackers in this operation to find another way to obfuscate their text.

The logos used in the fake banking email are also obfuscated. Instead of embedding the actual corporate logos, which might be spotted by anti-phishing systems, they are rendered using scalable vector graphics, so the logo and its source do not appear in the source code

As always, one way to avoid phishing attacks (along with running antivirus and spam filters) is to avoid following links from any unsolicited or suspicious emails that purport to be from your bank. If in doubt, users can always open a new browser window and manually type in the bank's correct address and login to make sure they are on an authentic website. Viewing messages in plain-text, or disabling custom fonts, will also reveal or neuter any shenanigans. ®

Biting the hand that feeds IT © 1998–2021