Crooks use math symbols to evade anti-phishing solutions

Threat actors are using mathematical symbols on impersonated company logos to evade detection in phishing campaigns.

Researchers from anti-phishing cybersecurity firm INKY have detailed a new technique to evade detection in phishing attacks, it leverages using mathematical symbols on impersonated company logos.

The experts analyzed the case of a campaign targeting the customers of the telecommunication giant Verizon, attackers used a square root symbol, a logical NOR operator, or the checkmark symbol itself. The trick adopted by the crooks aims at creating a sort of optical interference that could allow bypassing anti-spam solutions.

“Although Verizon’s current logo makes use of a bright red, asymmetrical “V” after the word “Verizon” (which is all lower case in bolded black sans serif), that “V” element does look rather like a checkmark.” states the report published by INKY.

“INKY found three fake logo variants in the wild. Each made use of a mathematical symbol for the red element. The three impersonations reproduced that element via:

  • a square root symbol,
  • a logical NOR operator, and
  • the checkmark symbol itself.”

The campaign detailed by the experts used messages posing as voicemail notifications from Verizon. Upon clicking on the Play button (a close-angle-bracket character is appended to the text Play) the recipient will be directed to a phishing site (sd9-08[.]click) that clones the legitimate Verizon website.

The fake website appears genuine and asks the users to provide their Office365 account credentials on the sign-in form to listen to the message.

The experts noticed that once provided the credentials for the first time, the victims have displayed an “incorrect password” message, if they will retry to log in a fake error is notified and the login process is interrupted.

“However, the credentials were harvested both times on the backend. This pattern, the double ask, is fairly common. It’s not entirely clear what the phishers are up to, but it’s possible that they want the victim to confirm the correctness of the data, or that they hope the victim will try a different account, yielding them two sets of credentials for the price of one.” continues the report.

The experts explained that threat actors behind the phishing attacks sent use Gmail accounts to send phishing messages because they were able to pass standard email authentication (SPF, DKIM, and DMARC). They also noticed that the malicious site was brand new and hosted zero-day exploits.

Below are the recommendations provided by the security firm:

  • Email recipients are advised to be suspicious of voicemail notifications coming from Gmail or other free email providers such as Yahoo, AOL, or Hotmail. They should also distrust emails that claim to be from Verizon but come from a Gmail sender.
  • Also, in many cases, they can look at the URL of a site that purports to be Verizon to see whether Verizon actually hosts it. This type of analysis will sometimes lead to false positives if a large company uses a smaller firm for marketing support.
  • They should also be wary if a site asks them to enter Microsoft credentials to view notifications from Verizon (or any other brand).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

MediSecure data breach impacted 12.9 million individuals

Personal and health information of 12.9 million individuals was exposed in a ransomware attack on…

14 mins ago

CrowdStrike update epic fail crashed Windows systems worldwide

Windows machines worldwide displayed BSoD screen following a faulty update pushed out by cybersecurity firm…

6 hours ago

Cisco fixed a critical flaw in Security Email Gateway that could allow attackers to add root users

Cisco has addressed a critical vulnerability that could allow attackers to add new root users…

12 hours ago

SAPwned flaws in SAP AI core could expose customers’ data

Researchers discovered security flaws in SAP AI Core cloud-based platform that could expose customers' data. Cybersecurity researchers…

1 day ago

Cybercrime group FIN7 advertises new EDR bypass tool on hacking forums

The cybercrime group FIN7 is advertising a security evasion tool in multiple underground forums, cybersecurity…

1 day ago

How to Protect Privacy and Build Secure AI Products

AI systems are transforming technology and driving innovation across industries. How to protect privacy and…

1 day ago

This website uses cookies.