The ABCs of Anti-Phishing and Web Access Protection

Homoglyph attacks: high-value targets are protected by ESET

The Cypriot security watchdog, CSIRT, warns about a fake PayPal site that spreads the Nemty ransomware using a so-called homoglyph attack.

Homoglyph attacks rely on replacing characters in addresses with ones that look similar – or even optically identical – but are actually different, as they belong to different alphabets. These attacks are extremely dangerous for users, as they have only a limited chance of detecting the trap.

Fortunately, ESET users are safe here. We have a set of predefined high-value targets – notably banks, financial institutions and payment platforms, prominent email services, and reputable media – which we protect against homoglyph attacks. We check all the letters in their URLs against a table of similar letters from any other alphabet and warn the user if we detect any attempt for deceiving. This security layer is part of the Anti-Phishing (and Web Access) layer in ESET’s business and consumer products.

In the mentioned attack on PayPal users, the address contained the “correct” letters taken from the Latin alphabet – with two exceptions. The attackers replaced both instances of the letter P with a “P” look-alike letter, but from a different alphabet. This “P” look-alike letter was taken from the Russian alphabet, where it is equivalent to the letter R. With this kind of swap, users have absolutely no chance to see any difference and are therefore dependent on protective technologies.

Another example of a homoglyph letter swap as read by humans vs computers
Figure 1. Another example of a homoglyph letter swap as read by humans vs computers

Recently, we’ve also detected another homoglyph attack on users of the PayPal service. Instead of the first “a” in the well-known web address, the similarly looking “ạ” taken from the alphabet (in Unicode) called “Latin Extended Additional” was used. This domain has also been classified as malicious.

How widespread is this threat?
The domain our users most often see impersonated using homoglyphs is, by far, apple.com. This is particularly interesting, as our researchers have noted that all letters have been replaced with their non-Latin look-alikes. However, due to the nature of the “homoglyphed” domain, it is clear that this case is purely educational in nature.

Domains most targeted with homoglyph attacks in Q2 2019
Figure 2. Domains most targeted with homoglyph attacks in Q2 2019

Not counting apple.com, the most homoglyph-attacked domains belong to financial institutions. Of interest is that for the first time, a website of a cryptocurrency exchange and wallet has appeared. In this case, some users of the binance.com service have been served a modified address, with the Latin letter “n” replaced with the letter “ṇ” named “Latin Small Letter N with dot below” from the “Latin extended additional” alphabet.

With as many manipulations possible as there are letters and various alphabet systems with at least visible similarities, users need the protection provided by multilayered cybersecurity technology.

written by Patrik Sucansky, ESET


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s