Endpoints and security gateway appliances use a variety of techniques to attempt to identify Phishing websites that are trying to steal login credentials from unsuspecting users.

A typical phishing website may appear to the average human to be a login page for a well-known service, such as Gmail, Dropbox or your cloud-hosted ERP system.  Users who are tricked into visiting that website, by clicking a link in a fraudulent email for example, will very often be coerced into providing their login details to cyber-criminals if they attempt to login on the phishing website.

The first generation of phishing protection attempted to detect the copy of the well-known login pages being used against the wrong URL. For example, a copy of the GMail login page being loaded from a webserver on a domain name of “fakegmail.com”.

Cyber criminals responded to this by obfuscating the HTML of the phishing websites through Javascript functions to encode the HTML, so that what gets downloaded to the user’s browser is simply a large blob of data. The user’s web browser decodes the JavaScript locally before rendering the HTML for the fake login page. In turn, security vendors responded by adding features to their products which looked for the large blobs of encoded data as a warning sign and vendors even tried to decoding the data on-the-fly, in order to check the purpose of the HTML and whether or not it was a known phishing page.

More recently, cybercriminals have responded with a new generation of phishing tools that do not use Javascript to obfuscate the webpage content.  According to proofpoint, the latest technique involves using a combination of CSS and customised web fonts to encrypt and then decode the webpage text.  The lack of obvious JavaScript obfuscation techniques means the current generation of anti-phishing tools may not detect this new attack vector. This new technique has also been seen in the wild with SVG instructions in the HTML that draw the logos of the bank which the phishing page is meant to be emulating.  As a result, this means that the data downloaded to the user’s browser from the phishing server contains none of the wording from the fake login page, nor any of the well-known graphic images for logos which security software would be looking for. Only when the CSS is processed and the SVG instructions are rendered in the users web browser, after it has passed through the security gateways, will the fake login page become recognisable to the end-user.

Security vendors will likely upgrade their systems to detect this new attack vector in the near future; however, this serves as a useful reminder of the boundless creativity of cyber-criminals and the danger of assuming the systems that protected your network effectively last month, are still as effective today.