ZeroFont trick makes users think that message has been scanned for threats
It’s nothing new for cybercriminals to use sneaky HTML tricks in their attempt to infect computers or dupe unsuspecting recipients into clicking on phishing links.
Spammers have been using a wide variety of tricks for years in an attempt to get their marketing messages past anti-spam filters and in front of human eyeballs.
It’s enough to make you wish that email clients didn’t support HTML at all, and that every message had to be in plaintext email. Imagine a world where email could never contain any images (unless it was ASCII art!), and where you couldn’t click on links that didn’t show you exactly where they were pointing…
Ahh, but we can only dream. And you know as well as I do that marketing departments working for legitimate companies around the world would be apoplectic that our trivial security concerns meant they had to chuck their beautifully-crafted HTML emails into the garbage can.
The reason I’m considering the merits (or otherwise) of HTML email today, is a report from ISC Sans analyst Jan Kopriva, who has identified what he describes as “a new spin on the ZeroFont phishing technique.”
“ZeroFont phishing” is a term first coined in 2018, by security researchers describing how cybercriminals could bypass spam filters.
The trick involves inserting words into an email that are “invisible” to the naked eye (on account of HTML setting their font size to zero) but which are seen by automated spam-filtering solutions.
Take the following example. An email arrives at your company, containing the following content:
An automated system might find it difficult to spot the unwanted message amongst all that, but to the human eye, it would read:
This is a very simple example – a spammer would most likely go to much greater efforts to obfuscate their message from those trying to get it past an anti-spam filter – but it makes the point succinctly.
The “new spin” on the idea that Kopriva is reporting takes advantage of the fact that today’s email clients often show a preview of the first couple of lines of messages in an inbox, in a separate window from the body of the actual selected message.
According to Kopriva, attackers used the “ZeroFont” technique to manipulate the preview of a message to suggest it had already been scanned for threats.
In a screenshot Kopriva shared, he showed how the small preview pane claimed the message had been “Scanned and secured by Isc®Advanced Threat protection (APT): 9/22/2023T6:42 AM”
However, the reading pane of the message had no human-visible mention of this, and went straight into a bogus job offer.
Microsoft Outlook does not display the fake “Scanned and secured” message in the main rendering of the email, but does grab it and display it in the preview pane.
As Kopriva describes, “the goal is to instill a false sense of legitimacy and security in the recipient,” with the intent of increasing the chance that a target will trust and open the offending message.
The moral of the story? Remain vigilant.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire.