Researchers at Proofpoint recently discovered an active credential harvesting phishing scheme. Once a victim has clicked on the initial phishing email, the resulting landing page looked similar as a login page for a major U.S. bank. In reality the page is bent on stealing banking customers’ credentials. The phishing kit uses custom web fonts to obfuscate the source code for the landing page.
With this method, the phishing webpages use custom web font files (Web Open Font Format or WOFF files) to install a substitution cypher that makes the source code of phishing pages look harmless. When browsers render the phishing page, the average user sees the well-crafted fake landing page, which has been built to steal login credentials.
The source code, however, reveals encoded text that makes it difficult to figure out what it does. This is typically implemented through JavaScript functions. In the case highlighted by Proofpoint, the page source did not have JavaScript functions to enable the use of the character substitution cypher; the novelty factor here is that this was done from the CSS code for the landing page. Two fonts, ‘WOFF’ and ‘WOFF2’, were used and hidden via Base64 encoding.
The substitution ciphers replace the expected alphabetical letters shown to the victim on the page (“abcdefghi…”) with other letters in the source code, the intended text will be shown in the browser, but will not exist on the page.
To further obfuscate the phishing attempt, the threat actor used branding imagery in SVG (scalable vector graphics) format, which can be rendered through code, eliminating the need to load them from a location that stores image resources, which would help with detection.
Potential victims as always should be extremely careful about clicking URLs and going directly to bank websites instead of following links.
Join Our Online Security and Hosting Newsletter Today
