![]() ![]() Threat actors continue to introduce new techniques to evade detection and hide their activities from unsuspecting victims, security vendors, and even from savvy organizations proactively searching for brand abuse. Most archive dates on resource files we have observed in samples of this kit are dated early June 2018. We first observed the use of this kit in May 2018, but it is certainly possible that the kit appeared in the wild earlier. Linking to actual logos and other visual resources can also potentially be detected by the brand being impersonated.įigure 4: Code snippet showing SVG rendering of stolen bank logo It is also worth noting that the stolen bank branding is rendered via SVG (scalable vector graphics), so the logo and its source do not appear in the source code (Figure 4). As the Web Open Font Format (WOFF) expects the font to be in a standard alphabetical order, replacing the expected letters "abcdefghi." with the letters to be substituted, the intended text will be shown in the browser, but will not exist on the page. This phishing landing then is utilizing a custom web font file to make the browser render the ciphertext as plaintext. If we extract, convert, and view the woff and woff2 web font files, we see the following font specification: fonts/ directory does not exist in the kit, making the base64-encoded woff and woff2 the only loaded fonts. ![]() ![]() Instead, we identified the source of the substitution in the CSS code for the landing page (Figure 2).įigure 2: CSS rule from the phishing landing page source codeĪfter reviewing many copies of the phishing kit left behind by the threat actors, we know that the. Substitution functions in phishing kits are frequently implemented in JavaScript, but no such functions appeared in the page source. However, the implementation of the substitution in this case merits closer examination. The text can be decoded through a straightforward character substitution cipher, making detection of the phishing landing page simple for automated systems. However, the source code of the page includes unexpectedly encoded display text (Figure 1)įigure 1: Code snippet from phishing landing page with displayed text encoded despite decoded renderingĬopying the cleartext from the webpage and pasting it into a text file still results in encoded text. When the phishing landing page renders in the browser, users are presented with a typical online banking credential phish leveraging stolen bank branding. While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding. Proofpoint researchers recently observed a phishing kit with peculiar encoding utilized in a credential harvesting scheme impersonating a major retail bank. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |