Phishing Website Utilizes Custom Web Fonts to Avoid Detection

Phishers are continuously developing new methods to avoid their websites from being identified. One threat actor is now utilizing custom web fonts to disguise malevolent code on phishing websites.

The phishing cheat deceives a main U.S. bank in an attempt to get users to divulge their banking identifications. The website used in the cheat is nicely created, and like several similar cheats, uses thieved patented content to make the website seem genuine.

Although on the surface the cheat is just like several others, the threat actors have used a clever technique to avoid recognition and make their phishing kit seem benevolent. Custom web fonts – Web Open Font Format (WOFF) files – are used to apply a replacement code that makes the ciphertext as plaintext while concealing the malevolent code.

Although the source code seems to be clear text on the page, if it is copied and pasted into a text file, the source code seems to have been encoded.

Custom web fonts have been utilized to substitute one letter with another. While this method is usually employed through JavaScript, in this cheat the replacement cypher is achieved exercising Cascading Style Sheets (CSS) code and two WOFF custom fonts. Something that has not been seen earlier.

The phishing web page was examined by safety scientists at Proofpoint. “As the Web Open Font Format (WOFF) anticipates the font to be in a usual alphabetical sequence, substituting the expected letters “abcdefghi…” with the letters to be replaced, the envisioned text will be displayed in the browser, however, will not be on the page,” clarified Proofpoint.

It is probable for banks to identify fake use of their branding, however, to get around this the phishers make the branding using scalable vector graphics (SVG). As such, the emblem and its source do not seem in the source code.

As per Proofpoint, this phishing kit has been utilized since at least May 2018, but possibly for even longer. The method may be new, but it is easy enough to enable automated solutions to recognize the phishing web page as malevolent.