A basic text-color trick can fool phishing filters

(Screenshot / Avanan)

Share

Written by

Underneath all the chatter about advanced cybercrime techniques, sometimes it’s the little things that get the job done.

Researchers at Avanan said Thursday they’ve found evidence of a phishing campaign that uses a simple trick involving the text color in an email.

It works this way: The bogus emails include text that is covered in white, “blinding it from the end-user and fooling phishing filters,” writes Avanan’s Jeremy Fuchs. It’s the latest version of what phishing campaigns do to show “the end-user one thing and the filter another.” 

In this case, the attackers add nonsense strings of text that obfuscate what otherwise looks like a typical phishing email — and probably would be exiled immediately to the trash by many email providers. The goal, as is common for this kind of campaign, is to get the recipient to log into a fake webpage or call a phone number — “a classic credential harvesting scheme,” Avanan says.

For a simple approximation of what happens in the text, highlight the next sentence with your cursor:

What you see is not what you get.

Depending on what kind of device you’re using, and what color your web browser’s highlight bar is, you might be able to see the word “not” in the spot where — to the naked eye — it looks like empty space.

Below are some screenshots from Avanan. The first email looks like a typical phishing attempt:

(Avanan)

When the cursor is dragged over the text, though, it looks like what you see below. “Notice the random characters strung throughout,” Avanan says:

(Avanan)

Avanan, part of cybersecurity company Check Point, notes that similar techniques in the past have included really tiny font sizes.

Ultimately, the lure is the threat of a $499.19 charge to a person’s account.

“This email takes advantage of a classic social engineering ploy – the auto-renewal,” Fuchs writes. “By sending an email with a charge of a hefty sum, it will induce some folks to click or call to rectify what seems like a fraudulent charge. The email was sent on the same day as the purported renewal, adding even more urgency.”

-In this Story-

Avanan, Check Point, cybercrime, phishing
TwitterFacebookLinkedInRedditGmail