New phishing kit found leveraging fake web fonts to evade detection

• The technique is used by hackers to redirect users to a fake landing page and steal their login credentials.
• Apart from changing the web fonts, the hackers are observed using the phishing kit to change the bank logo.

A new phishing kit that uses fake web fonts has been observed evading detection by organizations and security firms. The technique is used by hackers to redirect users to a fake landing page and steal their login credentials.

How is it done?

According to a blog post from Proofpoint, the phishing kit has been in use since May 2018. The researchers have identified several email addresses associated with the phishing kit that is used to steal credentials.

The specially-crafted phishing web pages use customized web font files known as Web Open Font Format to add an encrypted font as a substitute for the original font. These web pages are presented to users as fake online banking pages, thus tricking them into revealing their login credentials.

“As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters "abcdefghi..." with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page," said Proofpoint researchers in a blog post.

In this way, the letters can be substituted with the intended text and will not appear on the page.

Taking the crime one step ahead

Apart from changing the web fonts, the hackers were observed using the phishing kit to change the bank logo. The researchers observed that the hackers used scalable vector graphics (SVG) to capture the logo of a major US bank - and that the image and source did not appear in the source code - to evade detection.

“We first observed the use of this kit in May 2018, but it is certainly possible that the kit appeared in the wild earlier. Most archive dates on resource files we have observed in samples of this kit are dated early June 2018,” the researchers explained.

While substitution cypher with web fonts may sound simple by itself, researchers claim that the implementation via web font files can enable hackers to conduct several other fraud activities.