In an apparent first, researchers last year observed an unusual phishing kit that obfuscates its landing page’s source code with web fonts as a means to avoid detection.

Attackers recently used the kit as part of a credential harvesting scheme that targeted a major retail bank, researchers from Proofpoint revealed in a Jan. 3 blog post.

The phishing kit’s landing page employs stolen branded content that’s intended to convince potential victims that they are visiting the genuine banking site. But if one were to view the source code, or even copy the cleartext from the landing page into a text file, something curious occurs: the text suddenly looks encoded.

That’s because the cybercriminals used a basic substitution cypher to replace one letter with another letter. In other words,the letter “A” is replaced with “M,” while the letter “M” is replaced with “A.”

Normally, substitution cyphers are executed using JavaScript.But in this case the technique was accomplished via the landing page’s Cascading Style Sheets code, using two custom web font files that leverage the WebOpen Font Format (WOFF).

According to Proofpoint, the land page “is utilizing a custom web font file to make the browser render the ciphertext as plaintext. As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters “abcdefghi…” with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page.”

In another twist, the stolen bank branding that’s used on the landing page is rendered via scalable vector graphics (SVG). This means that the logo and its source do not appear in the source code, Proofpoint explains – another strategy to avoid detection.

Proofpoint did not that the substitution cypher used by the criminals was simple enough that automated systems should be able to sniff out the pattern and still detect the landing page. However,
“for many widely deployed legacy security systems, this could certainly be an effective evasion technique,” said Christ Dawson, threat intelligence lead at Proofpoint, in an interview with SC Media.

Moreover, the technique could also “evolve and become more effective or widespread over time,” Dawson continued, thus making detection more challenging for even advanced solutions.

“Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse,” the blog post concludes. “In this case, actors developed a phishing template that uses a custom web font to implement a substitution cypher, among other techniques, to render well-crafted phishing pages for credentials to a major U.S. bank. While the substitution cypher itself is simple, the implementation via web font files appears to be unique, giving phishing actors yet another technique to hide their tracks and defraud consumers.”