Researchers identified what they are calling a first-of-its kind phishing template that uses fake fonts to exploit web font features typically used by developers to deploy a range of fonts on user devices. This new template uses fake web fonts to render well-crafted phishing pages to harvest credentials impersonating a major US bank, the research said.
Researchers listed several email addresses that were associated with the phishing kit within the PHP source codes and hard-coded as recipients of stolen credentials.
In addition, researchers explained,“when the phishing landing page renders in the browser, users are presented with a typical online banking credential phish leveraging stolen bank branding. However, the source code of the page includes unexpectedly encoded display text.”
The custom web font file used in the phishing landing page, which was discovered when researchers copied the cleartext from the webpage and pasted it into a text file, causes the browser to render ciphertext as plaintext.
Researchers concluded that “threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse. In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major US bank.”
Phishing attacks continue to grow more sophisticated, and even fairly simple tactics such as substitution cyber can allow threat actors to evade detection.