Phishing toolkit uses custom font and substitution cipher to evade detection

A vintage spycraft tool was updated for the technological age as cybercriminals attempt to evade programmatic detection.

For years, cybercriminals have relied on creative obfuscation techniques to make it more difficult for security software to detect phishing attacks. Typically, these rely on obfuscating source code using AES-256 or Base64 encoding inside JavaScript, or custom encoding strategies, making it difficult to analyze the underlying source code. On Thursday, researchers at Proofpoint disclosed a phishing toolkit that uses the novel strategy of encoding data by use of a substitution cipher that relies on a custom font to decode.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

Substitution ciphers are straightforward for humans to understand, and for a phishing attack to be successful, the decoded data must be displayed to a potential victim. In this attack, cybercriminals use a customized version of the Arial font with individual letters transposed. When the page is loaded, the content looks normal. But when a user or program attempts to read the source, the text on the page appears jumbled.

To visualize the nature of the exploit, consider the standard layout of the English alphabet (above), with the substitution cipher layout used in the attack (below):


With text encoded in this way, common strings used in phishing attacks could not be programmatically detected unless security software is designed to solve substitution ciphers. Computationally, this is not complex—the unicity distance of substitution ciphers in English is 28 characters, and text strings used in phishing attacks would necessary provide far more than that, making the process easier.

This specific attack was first observed in May 2018, Proofpoint found, and was used to create phishing pages for a "major US bank," noting that the substitution cipher "implementation via web font files appears to be unique."

Additionally, the font itself is embedded in the page, embedded as a base-64 blob, rather than loaded from an external file. Proofpoint also noted that the logos of the bank were rendered inline using SVG, with geometries embedded in the page itself, rather than as an external image.

SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)

Proofpoint's EP and ETPRO security solutions are capable of detecting attacks using this toolkit. For IT professionals and end users, the best steps toward mitigation of this attack are identical to any other—avoiding opening links in suspicious emails and ensuring the URL of pages is of the intended website are good first steps.

The big takeaways for tech leaders:

  • A newly-disclosed phishing attack uses a substitution cipher and a custom font to evade programmatic detection.
  • The attack was discovered in May 2018, and appears to be the first time a substitution cipher has been used in a phishing attack.

Also see

Getty Images/iStockphoto

About James Sanders

James Sanders is a technology writer for TechRepublic. He covers future technology, including quantum computing, AI, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on Asia.

Editor's Picks

Free Newsletters, In your Inbox