Dark Reading reports that researchers at Inky have observed attackers using a text reversal technique to get their phishing emails past security filters. Many email security filters monitor for patterns of text that are known to be suspicious. Attackers try to craft their emails so that the security filters can’t see any suspicious text, but the message still displays correctly to the user.
In this case, the attackers are using a CSS feature that reverses a string of characters in the HTML code. The HTML rendering engine can display text running in both directions in order to handle languages like English, that run left-to-right, as well as languages like Arabic, that run right-to-left.
In the phishing email itself, a user would see the text “Office 356,” followed by “You have a miss call from below.” This was accompanied by a link to a phishing site where the user could supposedly listen to a new voicemail. The strings of text in the HTML code were reversed, however, so the email security solution would see “563 eciffO” and “woleb morf llac ssim a evah uoY.”
Inky’s CEO Dave Baggett told Dark Reading that there are other techniques attackers use to deceive security filters, such as setting the size of the font to zero.
“This is just another method the attacker can use to hide text,” Baggett said. “Anecdotally, it’s used a lot less frequently than ordinary zero font, but that’s probably because it will take a while for this tactic to find its way into phishing kits purveyed on the Dark Web.”
Technical defenses will never be able to stop every attack. Attackers know organizations have security solutions in place, so part of their strategy involves crafting emails that can evade these defenses. New-school security awareness training can help your employees spot the emails that slip through the cracks.