Proofpoint observes novel technique that uses custom web fonts to help phishing pages evade detection
Cybersecurity researchers at Proofpoint have discovered a new phishing technique that allows cybercriminals to hide phishing pages via custom web font files.
The researchers found the new technique after observing strange encoding in a credential harvesting scheme impersonating a major retail bank. A credential harvesting scheme is a common phishing scheme that involves tricking users into providing passwords or credentials.
In this attack, the phishers installed a custom web font file that instructed the user’s browser to install a substitution cipher that hid the nefarious code underneath.
Although the code is invisible on the decoy landing page, a closer look at the source code revealed unexpected encoded display text.
While the technique is novel, Proofpoint is keen to stress that automated security software should be able to handle the threat, as the text can be decoded through a straightforward character substitution cipher.
Proofpoint first observed the use of the kit in May, although it claims it may have been active in campaigns even earlier.
“Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organisations proactively searching for brand abuse,” said Proofpoint.
“While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”