Check Point Email Security | Blog

Highlighting Text in White to Fool Anti-Phishing Filters

Written by Jeremy Fuchs | March 10, 2022

Hackers are constantly looking for ways to disguise their intentions. They not only have to craft phishing emails that not only bypass filters but are also believable enough for end-users to act on.

One way to do this is by showing the end-user one thing and the filter another. 

Starting in February 2022, Avanan observed how attackers are highlighting text in white, blinding it from the end-user and fooling phishing filters. In this attack brief, Avanan will analyze how threat actors are using this form of obfuscation in credential harvesting campaigns. 

Attack

In this attack, hackers are highlighting text in white, which makes it invisible to the reader but fools Natural Language Processing filters into thinking it’s a clean email. The email itself is a classic credential harvesting scheme. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Highlighted Text
  • Target: Any end-user

 

Email

In this attack, hackers are highlighting parts of their email in white. That makes it invisible to the end-user. The anti-phishing filters are fooled, thinking this credential harvesting email is actually legitimate. 

 

Email Example #1

The user sees what looks like a standard email regarding an invoice, in this case to PayPal. 


Email Example #2

 

This is what the anti-phishing filter sees. Notice the random characters strung throughout. 

Techniques

In this attack, hackers are adding text that’s been highlighted in white. The end-user can’t see it; the machine sees what looks like gibberish. That fools the scanner into thinking it’s legitimate when in actuality, it’s a credential harvesting email.

Avanan has been tracking for some time the different ways that hackers obfuscate text to get into the inbox. 

We’ve written about how hackers use the unescape Javascript function to bypass Natural Language Processing. We’ve seen how hackers use base64 in the baseStriker attack; or use a zero font size or even a one font size. We’ve seen the Punycode phishing attack, the Unicode phishing attack, and the Hexadecimal Escape Characters phishing attack. For years, Avanan has seen plenty of different ways that hackers use obfuscation. 

All these methods have the same aim: to show one message to the end-user, and another to the anti-phishing filter. It’s an effective way to not only bypass phishing filters but also fool end-users into clicking onto something they shouldn’t.

This email takes advantage of a classic social engineering ploy–the auto-renewal. By sending an email with a charge of a hefty sum, it will induce some folks to click or call to rectify what seems like a fraudulent charge. The email was sent on the same day as the purported renewal, adding even more urgency. 

Between fooling filters and giving end-users incentive to click, these sorts of attacks pack a one-two punch that is quite effective. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Encourage end-users to check with bank or credit card to ensure the potential charge is legitimate
  • Remind users not to blindly call numbers; a Google search of the number in the email reveals it’s not from PayPal. 
  • Deploy protection that can detect non-ASCII characters