The Gist

‍Cybercriminals are increasingly employing a method known as “text salting” to bypass traditional email security programs. With this method of evading detection, fraudsters leverage features of Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) to insert malicious elements into the source code of emails while remaining invisible to the human eye.

According to researchers from Cisco Talos, this way of evading brand name extraction by email parsers, confusing language detection procedures, and preventing security solutions from decoding and analyzing attachments began to gain traction in the second half of 2024. Since then, this attack method has increased in popularity due to its effectiveness.

‍

How It Works

Attackers employ various techniques to facilitate text salting, they include:

1. Invisible Characters: Fraudsters will insert Zero-Width Space (ZWSP) and Zero-Width Non-Joiner characters between the letters of keywords or brand names to confuse detection solutions.

2. CSS Manipulation: Attackers insert properties such as “overflow:hidden” and “display:inline-block” to hide the malicious code in their messages.

3. Soft Hyphens: Unicode soft hyphens are used to separate letters. While these are recognized by Secure Email Gateways (SEGs), they are invisible to the human eye.

4. HTML Comments: Irrelevant comments are added between base64-encoded characters in HTML attachments, disrupting security solutions.

‍

Why They Do It

Text salting is proving to be an increasingly popular method of attack for fraudsters for two reasons; its simplicity and effectiveness. By inserting hidden characters into brand names, fraudsters can bypass filters designed to detect impersonation attempts. This can also be performed using a language different from their intended target, which is confusing language detection systems.

Lastly, keyword-based filters are disrupted when irrelevant content is added, allowing their emails to slip through undetected, all while looking completely benign.

‍

Trustmi’s Take

Although text salting is a relatively simple means of bypassing traditional security mechanisms, they are incredibly effective and dangerous attack method. And as Cisco Talos researchers have found, it’s a method that will likely continue to grow in popularity.

To defend against this rising threat, organizations must implement comprehensive security solutions that break down siloed operations and provide end-to-end visibility over the entire payments ecosystem. These solutions should also leverage behavioral AI to detect and flag suspicious and malicious behavior autonomously, preventing a potential business disaster.

Want to learn more about how Trustmi can counter this threat? Book a demo with us today.