Operation Late Entry is Stealthcare’s internal name for a phishing campaign using source code obfuscation to masquerade compromised domains as authentic websites to steal personal information, such as credit card data. Information is then shared to cross-platform, cloud-based instant messaging applications, such as Telegram. The attacks involve a fake DHL tracking page and Web Open Font Format (WOFF)-based substitution cyphers, targeting shipping service users in the Americas and Europe.
The attack begins with an email imitating DHL informing victims that they have a package awaiting delivery and that they must verify their payment method within 3 business days. Once users are tricked into clicking on the provided link, they are taken to a fake DHL website where users are asked to provide credit card details to verify payment method. If submitted, the site will present users with a generic response while alerting threat actors of the shared credit card data, in the background.
Threat actors utilize WOFF-based substitution cyphers for code obfuscation. Pages containing encoded text will render unreadable without decoding it using a WOFF font file prior to loading the page. This technique is used to evade detection by security vendors since many use static or regex signature-based rules. Additionally, the campaign uses localization of specific targets and displays their corresponding phishing page with the local language, based on the region of the targeted user. The localization code supports major languages spoken in Europe and the Americas including Spanish, English, and Portuguese.
If you receive a suspicious email, the best action to take is to follow the steps provided by the National Cyber Security Centre: How to report to the NCSC
