Proofpoint observes novel technique that uses custom web fonts to help phishing pages evade detection
Cybersecurity researchers at Proofpoint have discovered a new phishing technique that allows cybercriminals to hide phishing pages via custom web font files.
The researchers found the new technique after observing strange encoding in a credential harvesting scheme impersonating a major retail bank. A credential harvesting scheme is a common phishing scheme that involves tricking users into providing passwords or credentials.
Phishers emboldened
In this attack, the phishers installed a custom web font file that instructed the user’s browser to install a substitution cipher that hid the nefarious code underneath.
Although the code is invisible on the decoy landing page, a closer look at the source code revealed unexpected encoded display text.
Substitution functions are typically implemented in JavaScript. But when Proofpoint researchers dug into the source code they found no JavaScript triggering the substitution, instead, the source of the substitution was located in the CSS code making use of a custom font.
While the technique is novel, Proofpoint is keen to stress that automated security software should be able to handle the threat, as the text can be decoded through a straightforward character substitution cipher.
Proofpoint first observed the use of the kit in May, although it claims it may have been active in campaigns even earlier.
“Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organisations proactively searching for brand abuse,” said Proofpoint.
“While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”