Hacking

Crooks use math symbols to evade anti-phishing solutions

Threat actors are using mathematical symbols on impersonated company logos to evade detection in phishing campaigns.

Researchers from anti-phishing cybersecurity firm INKY have detailed a new technique to evade detection in phishing attacks, it leverages using mathematical symbols on impersonated company logos.

The experts analyzed the case of a campaign targeting the customers of the telecommunication giant Verizon, attackers used a square root symbol, a logical NOR operator, or the checkmark symbol itself. The trick adopted by the crooks aims at creating a sort of optical interference that could allow bypassing anti-spam solutions.

“Although Verizon’s current logo makes use of a bright red, asymmetrical “V” after the word “Verizon” (which is all lower case in bolded black sans serif), that “V” element does look rather like a checkmark.” states the report published by INKY.

“INKY found three fake logo variants in the wild. Each made use of a mathematical symbol for the red element. The three impersonations reproduced that element via:

  • a square root symbol,
  • a logical NOR operator, and
  • the checkmark symbol itself.”

The campaign detailed by the experts used messages posing as voicemail notifications from Verizon. Upon clicking on the Play button (a close-angle-bracket character is appended to the text Play) the recipient will be directed to a phishing site (sd9-08[.]click) that clones the legitimate Verizon website.

The fake website appears genuine and asks the users to provide their Office365 account credentials on the sign-in form to listen to the message.

The experts noticed that once provided the credentials for the first time, the victims have displayed an “incorrect password” message, if they will retry to log in a fake error is notified and the login process is interrupted.

“However, the credentials were harvested both times on the backend. This pattern, the double ask, is fairly common. It’s not entirely clear what the phishers are up to, but it’s possible that they want the victim to confirm the correctness of the data, or that they hope the victim will try a different account, yielding them two sets of credentials for the price of one.” continues the report.

The experts explained that threat actors behind the phishing attacks sent use Gmail accounts to send phishing messages because they were able to pass standard email authentication (SPF, DKIM, and DMARC). They also noticed that the malicious site was brand new and hosted zero-day exploits.

Below are the recommendations provided by the security firm:

  • Email recipients are advised to be suspicious of voicemail notifications coming from Gmail or other free email providers such as Yahoo, AOL, or Hotmail. They should also distrust emails that claim to be from Verizon but come from a Gmail sender.
  • Also, in many cases, they can look at the URL of a site that purports to be Verizon to see whether Verizon actually hosts it. This type of analysis will sometimes lead to false positives if a large company uses a smaller firm for marketing support.
  • They should also be wary if a site asks them to enter Microsoft credentials to view notifications from Verizon (or any other brand).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

A cyberattack was responsible for the week-long outage affecting Cellcom wireless network

Cellcom, a regional wireless carrier based in Wisconsin (US), announced that a cyberattack is the…

6 hours ago

Coinbase data breach impacted 69,461 individuals

Cryptocurrency exchange Coinbase announced that the recent data breach exposed data belonging to 69,461 individuals.…

14 hours ago

U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output…

17 hours ago

A critical flaw in OpenPGP.js lets attackers spoof message signatures

A critical flaw in OpenPGP.js, tracked as CVE-2025-47934, lets attackers spoof message signatures; updates have…

19 hours ago

SK Telecom revealed that malware breach began in 2022

South Korean mobile network operator SK Telecom revealed that the security breach disclosed in April…

22 hours ago

4G Calling (VoLTE) flaw allowed to locate any O2 customer with a phone call

A flaw in O2 4G Calling (VoLTE) leaked user location data via network responses due…

1 day ago