Hackers have a long history of trying to obfuscate their true intent. We've written about this extensively, whether it's MetaMorph, SiteCloak, ZeroFont, baseStriker or Tattle Token. By obfuscating, security filters are unable to determine the intent. Thinking it's legitimate, the email flies into the inbox.
We saw a new type of obfuscation attack that builds off a classic tactic. Typically, the attacker will try to hide strings of random characters by styling a string with special properties, as seen in the example below.
In this example, the attacker tried to bypass phishing filters by obfuscating “Office 365”. Notice how some of the “<span>” tags are styled with the font size to zero. This kind of approach is well-known and our SmartPhish engine saw that this was text obfuscation.
However, the setting “display: none” is far less common. In the following example, the attacker did not use any font-size settings, and instead used the setting “display: none”.
Again, the attacker tried to obfuscate the text “Office 365”, but this time used a style sheet labeled “xfd” combining several of the obfuscation techniques seen before. Several red flags are found in the style settings, but the key offender is the “display: none” setting which is equivalent to the “font-size: 0” setting. The others, such as “visibility: hidden” will leave awkward whitespace (which can still be manipulated to look like it’s not there!).
