Crooks use math symbols to evade anti-phishing solutions

Threat actors are using mathematical symbols on impersonated company logos to evade detection in phishing campaigns.

Researchers from anti-phishing cybersecurity firm INKY have detailed a new technique to evade detection in phishing attacks, it leverages using mathematical symbols on impersonated company logos.

The experts analyzed the case of a campaign targeting the customers of the telecommunication giant Verizon, attackers used a square root symbol, a logical NOR operator, or the checkmark symbol itself. The trick adopted by the crooks aims at creating a sort of optical interference that could allow bypassing anti-spam solutions.

“Although Verizon’s current logo makes use of a bright red, asymmetrical “V” after the word “Verizon” (which is all lower case in bolded black sans serif), that “V” element does look rather like a checkmark.” states the report published by INKY.

“INKY found three fake logo variants in the wild. Each made use of a mathematical symbol for the red element. The three impersonations reproduced that element via:

• a square root symbol,
• a logical NOR operator, and
• the checkmark symbol itself.”

The campaign detailed by the experts used messages posing as voicemail notifications from Verizon. Upon clicking on the Play button (a close-angle-bracket character is appended to the text Play) the recipient will be directed to a phishing site (sd9-08[.]click) that clones the legitimate Verizon website.

The fake website appears genuine and asks the users to provide their Office365 account credentials on the sign-in form to listen to the message.

The experts noticed that once provided the credentials for the first time, the victims have displayed an “incorrect password” message, if they will retry to log in a fake error is notified and the login process is interrupted.

“However, the credentials were harvested both times on the backend. This pattern, the double ask, is fairly common. It’s not entirely clear what the phishers are up to, but it’s possible that they want the victim to confirm the correctness of the data, or that they hope the victim will try a different account, yielding them two sets of credentials for the price of one.” continues the report.

The experts explained that threat actors behind the phishing attacks sent use Gmail accounts to send phishing messages because they were able to pass standard email authentication (SPF, DKIM, and DMARC). They also noticed that the malicious site was brand new and hosted zero-day exploits.

Below are the recommendations provided by the security firm:

• Email recipients are advised to be suspicious of voicemail notifications coming from Gmail or other free email providers such as Yahoo, AOL, or Hotmail. They should also distrust emails that claim to be from Verizon but come from a Gmail sender.
• Also, in many cases, they can look at the URL of a site that purports to be Verizon to see whether Verizon actually hosts it. This type of analysis will sometimes lead to false positives if a large company uses a smaller firm for marketing support.
• They should also be wary if a site asks them to enter Microsoft credentials to view notifications from Verizon (or any other brand).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]