Researchers at Proofpoint recently discovered an active credential harvesting phishing scheme. Once a victim has clicked on the initial phishing email, the resulting landing page looked similar as a login page for a major U.S. bank. In reality the page is bent on stealing banking customers’ credentials. The phishing kit uses custom web fonts to obfuscate the source code for the landing page.
With this method, the phishing webpages use custom web font files (Web Open Font Format or WOFF files) to install a substitution cypher that makes the source code of phishing pages look harmless. When browsers render the phishing page, the average user sees the well-crafted fake landing page, which has been built to steal login credentials.
The substitution ciphers replace the expected alphabetical letters shown to the victim on the page (“abcdefghi…”) with other letters in the source code, the intended text will be shown in the browser, but will not exist on the page.
To further obfuscate the phishing attempt, the threat actor used branding imagery in SVG (scalable vector graphics) format, which can be rendered through code, eliminating the need to load them from a location that stores image resources, which would help with detection.
Potential victims as always should be extremely careful about clicking URLs and going directly to bank websites instead of following links.