Experts Have Documented Phishing Attacks Using Unusual Techniques

FireEye Email Security specialists recorded a wave of phishing attacks on users in Europe, North and South America, during which cybercriminals use obfuscation of malicious code using a substitution cipher based on WOFF and Telegram channels for communication.

The attack begins with the victim receiving an email disguised as a notification from the DHL express delivery service. The letter contains a link to a phishing form on a fake DHL website, where the victim must enter his bank card details, which are then sent straight to the cybercriminals.

According to experts, in this campaign, cybercriminals use a very rare method of obfuscating the source code of the page. The page source contains the correct lines and valid tags and is formatted properly. However, it also contains text encoded with a substitution cipher and resembles a meaningless set of characters.

As a rule, a script for decrypting such texts is embedded in the page code itself, but in this case it is absent. The decoding of the text is done using the Web Open Font Format (WOFF) font file at page load time, and the decryption process is not visible to the victim. Loading the custom font decoded text is done inside Cascading Style Sheets (CSS). This method is rare because JavaScript is commonly used to encrypt and decrypt HTML texts.

The cybercriminals behind the phishing campaign hunt for user credentials, credit card information, and other sensitive information. The information stolen using fake forms is sent to email addresses and Telegram channels under their control. In particular, the researchers found a Telegram channel where data is sent using the Telegram Bot API.

Previous Post Next Post