Researchers from anti-phishing cybersecurity firm INKY have detailed a new technique to evade detection in phishing attacks, it leverages using mathematical symbols on impersonated company logos.
The experts analyzed the case of a campaign targeting the customers of the telecommunication giant Verizon, attackers used a square root symbol, a logical NOR operator, or the checkmark symbol itself. The trick adopted by the crooks aims at creating a sort of optical interference that could allow bypassing anti-spam solutions.
“Although Verizon’s current logo makes use of a bright red, asymmetrical “V” after the word “Verizon” (which is all lower case in bolded black sans serif), that “V” element does look rather like a checkmark.” states the report published by INKY.
“INKY found three fake logo variants in the wild. Each made use of a mathematical symbol for the red element. The three impersonations reproduced that element via:
The campaign detailed by the experts used messages posing as voicemail notifications from Verizon. Upon clicking on the Play button (a close-angle-bracket character is appended to the text Play) the recipient will be directed to a phishing site (sd9-08[.]click) that clones the legitimate Verizon website.
The fake website appears genuine and asks the users to provide their Office365 account credentials on the sign-in form to listen to the message.
The experts noticed that once provided the credentials for the first time, the victims have displayed an “incorrect password” message, if they will retry to log in a fake error is notified and the login process is interrupted.
“However, the credentials were harvested both times on the backend. This pattern, the double ask, is fairly common. It’s not entirely clear what the phishers are up to, but it’s possible that they want the victim to confirm the correctness of the data, or that they hope the victim will try a different account, yielding them two sets of credentials for the price of one.” continues the report.
The experts explained that threat actors behind the phishing attacks sent use Gmail accounts to send phishing messages because they were able to pass standard email authentication (SPF, DKIM, and DMARC). They also noticed that the malicious site was brand new and hosted zero-day exploits.
Below are the recommendations provided by the security firm:
(SecurityAffairs – hacking, phishing)