A new phishing campaign has been spotted in the wild using hidden text, or what’s known as zero font, to bypass email security controls and deliver malicious emails to the user, according to a recent report from Inky Technology.
As noted in an email to HealthITSecurity.com, researchers observed the technique being used to target users from a pharmaceutical software company, an electric utility firm, and a cloud managed service provider.
According to the report, zero font refers to the method of hiding malicious, embedded text within an email. Most email platforms leverage HTML, the language used for webpages. The complex code makes sites more secure, but can also challenge email software when it comes to determining what the user will see when opening a delivered email.
Hackers are taking advantage of HTML complexity, applying the zero font technique in a new campaign. It inserts invisible font into the embedded code that appears as gibberish text, when examined. Researchers explained by using yellow text set to zero, the hacker can hide these malicious emails from mail protection software.
“Attackers can embed text into their emails that is both invisible to end users and visible — and confusing — to the machines that automatically scan the mail looking for signs of malicious intent or branding,” researchers explained. “If the software is looking for brand-indicative text like ‘Office 365’, it won’t find a match.”
“This tactic therefore prevents legacy mail protection systems from classifying this mail as appearing to be from Microsoft,” they added. Since it doesn’t know it appears to be from Microsoft, it doesn’t require the mail to be from a Microsoft-controlled mail server. So it sails right through, ending up in the victim’s inbox.”
From the user’s perspective, the emails appear legitimate as the malicious code is hidden in the backend designed to confuse the mail protection system.
But in some cases, the hacker used white font on the front-end to mask the malicious nature from the user and trick the email software into delivering the message to the user. The researchers changed the white-on-white font to red-on-white, which showed the hidden message inserted into the email by the hacker.
As a result, malicious transactional emails can trick the email system into thinking the email is conversational, rather than a forgery of a well-known company.
“They will sometimes add text scraped from the web to an email to make the email appear to be a conversation between two people rather than a transactional email that might be a brand forgery,” they explained. “The bottom line is that HTML email gives scammers a nearly endless supply of ways to hide text from end users, but still ensure the mail protection system sees it — and becomes confused by it.”
The report stressed that these attacks are highly sophisticated in nature and traditional email security tools will likely not be able to detect the scheme.
The campaign joins an alarming trend of hackers leveraging highly skilled techniques to ensure success. For example, one detected campaign targets the voicemail messages of remote workers, while a popular business email compromise campaign is able to bypass multi-factor authentication.