Threat actors want to maintain anonymity in their operations, especially in the art of virus development and phishing expedition. They continue to find ways to bypass detection, as mere suspicion from regular users may render their development time useless. Most especially in the art of phishing were the capability to convince unsuspecting users to follow a link in their email or instant message is necessary to reach their goal of stealing information and/or espionage.
This time, a recent study by Proofpoint revealed that some clever phishers are encoding the source code of their phishing messages through obfuscation of web fonts, also known as Woff and Woff2 base64-encoding scheme. They started using ‘character substitution cipher; it uses CSS instead of the usual Javascript code.
“This phishing landing then is utilizing a custom web font file to make the browser render the ciphertext as plaintext. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters ‘abcdefghi…’ with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page. It is also worth noting that the stolen bank branding is rendered via SVG (scalable vector graphics), so the logo and its source do not appear in the source code. Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated,” explained a Proofpoint staff in their official blog.
Phishers now have access to the ‘kit’ that contains this obfuscation technique in WOFF and WOFF2 fonts since May 2018, but the earliest specimen that Proofpoint got was dated June 2018. Through the use of the ‘kit’, it can be used as a standard template for immediate phishing campaigns, creating an environment friendly for the development of genuine-looking fake sites. Any phishers that would like to use this font obfuscation technique can use it, as part of the ‘kit’ released to phishers circles.
Proofpoint has collected below email address, which they think are strongly linked with the phishers using font obfuscation scheme. Below list of email addresses were seen in the source code of the phishing messages:
- fatima133777@gmail[.]com
- fitgirlp0rtia@gmail[.]com
- hecklerkiller@yandex[.]com
- netty6040@aol[.]com
- nicholaklaus@yandex[.]com
- oryodavied@gmail[.]com
- realunix00@gmail[.]com
- slidigeek@gmail[.]com
- zerofautes@outlook[.]com
“Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank. While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers. While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding,” concluded Proofpoint.
