Tech

Phishing campaign uses math symbols to evade detection

Phishing actors are now using mathematical symbols on impersonated company logos to evade detection from anti-phishing systems.

One notable case spotted by analysts at INKY involves the spoofing of Verizon, a large U.S.-based telecommunication service provider.

In this case, the actors are using a square root symbol, a logical NOR operator, or the checkmark symbol itself, all helping to create a slight optical differentiation that could trick AI-based spam detectors.

Phishing message using the square root symbol in the Verizon logo
Phishing message using the square root symbol in the Verizon logo
Source: INKY

For many people who don’t keep up with the latest logo changes though, these slightly altered logos look good enough, so the delivery success and user engagement rates have better chances of staying high.

You have fake voicemail

All three spoofing types masquerade as voicemail notifications containing an embedded ‘Play’ button, that when clicked, take the user to a phishing portal that was crafted to look like a Verizon website.

The landing domain is clearly not part of Verizon’s official webspace, with one example given in the report being sd9-08[.]click.

A cloned Verizon site used as the phishing page of the campaign
A cloned Verizon site used as the phishing page of the campaign
Source: INKY

The actors bet on the carelessness of the target, as otherwise, the spoofed site looks pretty convincing. Also, Inky has found that this phishing campaign relied on recently-registered domains that were unreported.

The logo on the cloned site is the genuine one as the phishing actors stole most of the HTML and CSS elements from the real Verizon site.

Scrolling down on the fake page, the visitor will find the alleged voicemail, but they are only allowed to access it if they provide their Office365 account credentials on the sign-in form.

The first attempt will result in getting an “incorrect password” message, while the second attempt is generating a bogus error that ends the login procedure.

This is done for the phishing actors to ensure that the victim hasn’t mistyped their password in the first attempt, so it’s essentially a “quality assurance” step.

Bogus error generated after the victim enters their credentials twice on the phishing site
Bogus error message generated after the victim enters their credentials twice on the phishing site
Source: INKY

When you receive email of this kind, proper scrutiny is an important factor to not falling victims to these scams. Never click on embedded buttons, always validate the URL of the site you’re about to enter any credentials, and finally, consider the  realism of the situation.

In this case, a message from Verizon is urging recipients to enter their Office365 credentials, which does not make sense in this situation. If the contents of an email do not make sense for whatever reason, it’s usually phishing and the email should be junked. 

Related Articles

Leave a Reply

Back to top button