This specific kit has been used since May of 2018 and has been able to evade detection by using faulty web fonts. The pages are uniquely created with Web Open Font Format files, which replace the original font. They are imitating banking pages which gives them the ability to have victims provide their banking information. Going further than just changing the font, attackers have used the kit to change the logo of an unnamed US bank, but when discovered there was no image or source in the source code. “We first observed the use of this kit in May 2018, but it is certainly possible that the kit appeared in the wild earlier. Most archive dates on resource files we have observed in samples of this kit are dated early June 2018,” researchers verified.