Phishers are constantly developing new ways to prevent their websites from being detected. One threat actor is now using custom web fonts to disguise malicious code on phishing websites.
The phishing scam spoofs a major U.S. bank in an attempt to get users to disclose their banking credentials. The website used in the scam is well crafted, and like many similar scams, uses stolen branded content to make the website appear legitimate.
While on the surface the scam is just like many others, the threat actors have used a clever trick to evade detection and make their phishing kit appear benign. Custom web fonts – woff files – are used to implement a substitution cipher that renders the ciphertext as plaintext while hiding the malicious code.
While the source code appears to be cleartext on the page, if it is copied and pasted into a text file, the source code appears to have been encrypted.
Custom web fonts have been used to replace one letter with another. While this technique is commonly employed via JavaScript, in this scam the substitution cypher is achieved using cascading Style Sheets (CSS) code and two woff custom fonts. Something that has not been seen before.
The phishing web page was analyzed by security researchers at Proofpoint. “As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page,” explained Proofpoint.
It is possible for banks to detect fraudulent use of their branding, but to get around this the phishers render the branding using scalable vector graphics (SVG). As such, the logo and its source do not appear in the source code.
According to Proofpoint, this phishing kit has been used since at least May 2018, but potentially for even longer. The technique may be novel, but it is simple enough to enable automated solutions to identify the phishing web page as malicious.