Latest Phishing Scan is Hiding Behind Custom Fonts

January 07, 2019

Researchers have discovered yet another tactic cyber criminals are using to dodge detection.

According to cyber security researchers at Proofpoint, the new phishing method, targeting a major US bank with hopes of obtaining credentials, uses a ‘never-before-seen’ technique that takes advantage of custom fonts to evade detection. Once the phishing link has been accessed, the victim is led to an official ‘looking’ login page for the US bank – but in actual fact, includes encoded display text (even after being copied and pasted into a word file) and is set-up to steal your data.

Code snippet from phishing landing page with encoded display text


The webpages use custom web font files, also known as woff files, to install a substitute cypher, which causes the source code of the infected page appear safe and secure. Substitution functions in phishing kits are commonly used and employed in JavaScript, but according to Proofpoint, ‘no such functions appeared in the page source’, and instead, they identified the source of the substitution in the CSS (cascading style sheet) code for the landing page.

CSS code for phishing landing page with @font-face rule


Following investigation, it was found that two fonts, woff and woff2, were used and hidden through base64 encoding. Basically, the substitution cyphers replace the normal letter format, ‘abcdefghi’, with the letters to be substituted. This kit was first discovered in May 2018, with possibilities that it appeared earlier in the wild. Alongside this, the bank branding was extracted via scalable vector graphics, meaning the logo and its prime source do not appear in the source code.

  In conclusion, Proofpoint, said: “Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank. While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”

Domain Impersonation: The Popular New Tactic for Phishing Attacks
Domain Impersonation: The Popular New Tactic for Phishing Attacks

Domain impersonation is increasingly becoming a problem which targets businesses and their customers. Phishing attackers are now advancing their level of sophistication by utilising domain impersonation as part of BEC scams that can result in CEO fraud, malware infection, or ransom.