We’re used to hackers slipping malicious links and attachments into phishing emails. That doesn’t mean there aren’t the occasional slip-ups that result in malware infections, but for the most part, cyber-savvy users recognize the tricks used to fool them.
In response, hackers have taken it up a notch. In April, as many workers were still adjusting to remote work and distracted by the upheaval in their lives, a new phishing threat popped up. Inky Technologies discovered phishing emails that included buried text visible to secure email gateways (SEG) but invisible to the end user or text direction deception. According to an article in Dark Reading, “[Inky Technologies] described the tactic as designed to trick security controls that filter email messages based on whether the emails contain text and text sequences that have been previously associated with phishing scams.”
Nasty New Phishing Specimen
In its report, Inky Technologies warned that threat actors have bumped up their efforts with a “nasty new specimen.” Inky CEO Dave Baggett explained in an email interview the new ways scammers are exploiting the complexity of Unicode/HTML to embed invisible text in an email to confuse the SEG.
“A key insight from our recent report is that there are codepoints in Unicode that correspond to characters that have no visual representation at all. In effect they are invisible,” he said. “One we cover in the report is SOFT HYPHEN – this is used by an author to indicate that it’s acceptable to break a word at the indicated point and insert a visible hyphen there. For example, one might write ‘the human brain uses wetXware to analyze branded emails’ where the X is a SOFT HYPHEN character. This would tell the email client (rendering engine) that it’s permissible to break the line at ‘wet,’ as in ‘wet-[line break]ware’. But if the line isn’t broken there, the SOFT HYPHEN just renders as nothing: ‘wetware.’ The point is the SOFT HYPHEN is not visible, by design, but to the SEG parsing the text of the email, it might as well be a visible character like a capital X, because it has a codepoint like any other character, and will be encoded as such.”
Using Tactics the Average Person Could Never Detect
This type of phishing scam is nasty because the average person has no idea the capability to sneak in this type of code existed. So how does it work? Baggett said the bad guys will use extra letters, characters or codepoints—as long as it is encoded into the text, it has the capability to confuse any pattern matching that SEG is doing.
“In the specific example we looked at in the report,” said Baggett, “the attacker used SOFT HYPHENs to prevent the SEG from matching the text ‘Password expiry.’ They did this by putting SOFT HYPHEN after every single character, which made that text look like ‘PXaXsXsXwXoXrXdX EXxXpXiXrXyX’’ to the SEG. I put X here in place of SOFT HYPHEN, but to the SEG it might as well be any character.
“So why does the attacker use this weird SOFT HYPHEN character when any character would confuse the SEG? Because the SOFT HYPHEN is invisible to the end user! In this case the end user reads ‘Password Expiry’—as though no extra characters are even there. Hence, ‘invisible characters.'”