Homographic Domain Name Phishing Tactics
Bitdefender warns that Microsoft Office applications are vulnerable to phishing tactics that exploit international domain names (IDNs). Affected applications include Outlook, Word, Excel, OneNote, and PowerPoint.
“Homograph (also known as homoglyph) phishing attacks are based on the idea of using similar characters to pretend to be another site,” the researchers write. “While most of them are easily recognizable by end-users with proper training (for example, g00gle.com), the homograph attacks based on international domain names (IDN) can be unrecognizable from the domains they are spoofing.”
This technique shows that users can’t rely solely on checking the URL to ensure that they’re not visiting a phishing page.
“Even if a browser decides to display the real name after opening the link, the email client uses the display name in the preview pane,” the researchers write. “Users, who are trained to validate a link in an email client before they click it, will be susceptible to click on it because it has not yet been translated to a real domain name in their browser. The real domain name would only be seen after the page has started to open. The website that opens even has a valid security certificate and is fully controlled by a threat actor.”
The researchers note that this technique probably won’t become as commonplace as other phishing tactics, but it’s still worth watching out for.
“The good news is that homograph attacks most likely are not going to become mainstream – they are not easy to set up or maintain,” Bitdefender says. “However, they are a dangerous and effective tool used for targeted campaigns by APTs (or advanced persistent threats) and high-level adversaries such as Big Game Hunting by Ransomware-as-a-Service groups– whether targeting specific high-value companies (whale phishing) or high-value themes (for example popular cryptocurrency exchanges).”
TechRadar also reported on this attack, adding that homograph attacks abuse the internationalization of the web. “In the early days of the internet, all domain names used the Latin alphabet, which has 26 characters. Since then, the internet grew to include more characters, including, for example, the Cyrillic alphabet (used in Eastern Europe, and Russia). That gave threat actors a wide playground, as by combining different characters, they can create phishing sites whose URL looks identical to the legitimate site.”