pixel_dreams - Fotolia
The researchers believe this is the first time this technique of disguising malicious code to evade detection has been observed.
The well-crafted phishing web pages use custom web font files known as “woff files” to implement a substitution cypher that makes the source code of phishing pages appear benign.
When the phishing landing page renders in the browser, users are presented with a typical online banking credential phish using stolen bank branding, but includes encoded display text.
Instead, the researchers identified the source of the substitution in the CSS [cascading style sheet] code for the landing page.
The researchers extracted, converted and viewed the woff and woff2 web font files to discover the phishing landing page was using those custom web font files to make the browser render the ciphertext as plaintext, while the malicious code remained hidden.
The researcher noted that linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated, but in this campaign, the stolen bank branding is rendered via scalable vector graphics (SVG), so the logo and its source do not appear in the source code to evade detection.
The researchers said the phishing kit has been in use since May 2018, but add that the technique could have been in use earlier. They also identified several email addresses associated with the phishing kit, both within the hypertext prepossessor (PHP) source code and hard-coded as recipients of stolen credentials.
Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security suppliers and even from savvy organisations proactively searching for brand abuse, the researchers warn.
“In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank,” they said in a blog post.
While the substitution cypher itself is simple, the researchers said the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.