Method used in the wild since at least mid-2018
The new evasion approach has been spotted in a phishing kit with most of its resource files dated early June 2018, but malware researchers first observed it a month earlier.
Given the evasion method used, it is possible that the malicious framework was used in the wild even earlier than this point in time.
Proofpoint experts say that the malicious kit was used in a credential harvesting scheme targeting a major retail bank in the US.
"While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding," note the researchers.