A new phishing scam has been detected that uses a novel method to evade detection – The use of custom fonts to implement a substitution cipher that makes the source code of the phishing kit appear normal.

When users visit the phishing website they are presented with the logos and standard login page of their bank. To the user, apart from the domain name, there is nothing to indicate that the site is not genuine. As with similar phishing scams, if the user enters their credentials they will be harvested by the scammer and used to gain access to the users’ bank account.

These types of phishing scams are now commonplace, although the latest campaign has an interesting twist – one that make it much harder to detect the site as malicious.

Many phishing kits obfuscate their source code to make it harder to determine what it does. One method that has been used in the past is the use of substitution functions to make the sites harder to detect. This technique substitutes individual letters such as abcd with alternate letters jehr for example. While the page is rendered correctly for the user, when a program reads the source code it is presented with jumbled, gibberish letters.

Substitution ciphers are often implemented in JavaScript, which can be detected fairly easily. The latest campaign achieves this using custom fonts – termed woff files – which are present on the page and hidden through base64 encoding.  These custom fonts are used to implement the cipher and make the source code appear to be plaintext, while the actual source code is encrypted and remains hidden.  The substitution is performed by code in CSS on the landing page, rather than JavaScript. This technique has not been used before.

The result is users see a standard banking login page as does software than scans the site. Further, as an additional measure to avoid detection, the branding that has been stolen from the targeted bank is also obfuscated. It is common for bank logos to be stolen and included on phishing pages to convince visitors they are on the genuine site, but the use of the logos can be detected. By rendering the graphics using scalable vector graphics files, the logos and their source do not appear in the source code of the page.

These tactics could easily be used to target finance department employees and fool them into disclosing their corporate banking credentials, allowing business accounts to be plundered.

These new techniques show just how important it is to block phishing emails at source before they are delivered to end users’ inboxes and the need for comprehensive cybersecurity training to be provided to employees to help them identify potentially malicious emails.