New Phishing Campaign Features Encoded Fonts and SVG Logos

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Phishing scammers never stop evolving and make their malicious campaigns more efficient and more obfuscated. According to a report compiled by Proofpoint researchers, there’s a new phishing campaign out there right now, using a custom set of fonts that helps the attackers evade detection and increase the level of their impersonation activity. The phishing process starts with the regular email that points people to the website that features the encoded fonts source code. What users see is a seemingly regular website with legitimate banking logos and everything, but under the hood, the source code is written in a custom base64-encoded Web Open Font Format that works as an obfuscation mechanism.

The font does not follow the standard alphabetical lettering but uses a substitution cipher in the CSS code instead. This is not the only concealing method though, as even the logos that are used to impersonate real banks are added in the form of SVGs (scalable vector graphics), so the real banking institutions cannot detect them as easily. All this makes it difficult for anti-phishing tools to detect that something is wrong, and essentially hide the tracks of the scammers so they can seamlessly continue their spiteful activities. Even when copying the test from the website and pasting it into a text file still retains its encoding, so the detection remains hard to carry out.

encrypted font

From the Proofpoint report: The font as seen after extraction and conversion

According to the Proofpoint researchers, the particular phishing kit was first observed last summer, but its popularity and utilization are currently on the rise. The addresses given out by the team as associated with the phishing actors include- fatima133777@gmail[.]com, fitgirlp0rtia@gmail[.]com, hecklerkiller@yandex[.]com, netty6040@aol[.]com, nicholaklaus@yandex[.]com, oryodavied@gmail[.]com, realunix00@gmail[.]com, slidigeek@gmail[.]com, and zerofautes@outlook[.]com. If you receive an email from one of the above addresses, do not follow the link and do not input your credentials on the linking page.

As phishing scammers continue to evolve and introduce new methods to make their phishing landing pages more believable, receptors of emails that make bold claims about their bank accounts should be very careful. Do not be gullible and fooled by fake-urgency messages, and always call your bank if you are approached via email to confirm what is going on with your account first. Legitimate banking institutions do not use email communication for serious correspondence with their clients.

Do you think that phishing will soon become so polished and well-hidden that it will be impossible to distinguish from legit organizations? Let us know in the comments below, and also like and subscribe to our socials on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: