Next Level Font Obfuscation
Featuring Fontuscator
This is for educational purposes only. Not for malicious use.
Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger.
There’s no reason for a letter to look the way it does. In other words, the letter “A” only looks like an “A” because that’s how my font drew it. Thus I could make a font where the letter “A” looks like the letter “B”. This was the basis for my article Beating Plagiarism Checkers for Science. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable.
Additionally, there are reports of phishing toolkits that use substitution ciphers to evade detection from programmatic detection. To a computer, it's gibberish, but to a human, it could be a phishing message.
Thus, to take this a step further, I created the program Fontuscator. This program generates many custom fonts so that a letter can look like any other letter. Thus, depending on the font in use, the letter “A” can look like “B” or “C” or even a space. To do this, my program uses a unique font for each character.
I created a demo to show how this works on a web page. Sometimes the fonts loads slowly; this could be avoided by not showing the text until all of the fonts have loaded.
There are several malicious use cases for this type of obfuscation to look out for:
- Make a phishing link look like a trusted link
- Bypass plagiarism checkers
- Disguise a malicious Linux command as a safe command (make “rm -rf /h*” look like “echo hello”)
- Bypassing spam filters by having spam messages look like helpful messages
Let me know about other use cases in the comments!
Fontuscator can be found with this link. Give it a try if you'd like!
