Typosquatting and Homographs Flashcards
This lesson will cover two visual-based tactics used to trick recipients into thinking that an email address or domain is legitimate; typo squatting and homographs.
Typo Squatting
Typo squatting is the act of impersonating a brand or domain name by misspelling it, such as missing letters or including additional ones. Below are some examples of domains that are typo squatting the real SBT domain, securityblue.team.
securltyblue.team
securitybllue.team
securtyblue.team
At a glance, they all look somewhat legitimate. It’s only when you really focus on them that you can identify the issues.
The ‘I’ in “security” is actually a lowercase L
There are two L’s in “blue”
There is no ‘I’ in “security”
Large organizations may choose to generate a list of similarly-named domains, and either uses a monitoring solution to see if someone has registered any of them, or they can pay the cost to register them under the business name, preventing anyone else from taking them.
We’ve purchased one of our potential typo squat domains, securltyblue.team - check it out!
Example Walkthrough
This tactic is used when registering a domain, as it allows the typo squatted name to be used for a website and even custom emails. Let’s walk through a mock scenario, where attackers want to send a spear-phishing email to a member of the HR department at Dickson United, in order to retrieve personal information on an employee working in the company’s IT service desk as preparation for blackmailing the employee into providing the hackers with remote access to company servers.
The hackers know that John Doe is a service desk analyst within the IT support team at Dickson United. Samantha Moore is new to the organization and works in HR. The domain for the organization is DicksonUnited.co.uk - so the attackers decide to register DicksonUnted.co.uk.
The attackers discover Samantha’s work email address based on a standard naming convention (samantha.moore@DicksonUnited.co.uk). Because the attackers own the typo squatting domain, their web host also offers webmail accounts through Office365, meaning the attacks can create an email address such as “anything@dicksonunted.co.uk”. The attackers decide to pose as a senior HR manager Chloe Wood. They register the mailbox “Chloe.wood@dicksonunted.co.uk”.
They send the tailored email to Samantha Moore, posing as the senior HR manager Chloe Wood. At a glance, the typo squatting sending email address looks completely legitimate. Samantha believes she is being contacted by her superior and completes the request, sending “Chloe” personal information on the true target, John Doe.
Homographs
A homograph phishing attack is virtually impossible for users to spot. This attack exploits the fact that many different characters look exactly alike. These characters are called homographs, and the problem is with how the characters are encoded using Unicode.
Wikipedia summarizes that “Unicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek Ο, Latin O, and Cyrillic О were not assigned the same code. So, the Latin “o” and the Cyrillic “o” have a different Unicode and are therefore different letters.” It also means domains with those two different Os are two different domains. Domains using non-Latin letters are referred to as internationalized domain names (IDN) and are used quite frequently in homograph attacks.
The scary fact is that users can’t spot this attack, meaning that security awareness training is ineffective at preventing users from interacting with phishing emails that utilize homographs for domain names and email addresses. This issue needs to be addressed using effective email security technology, such as tools that visit hyperlinks within emails to identify if they are malicious or not.
A great example of a homograph attack is the article by BitDefender titled “New Homograph Phishing Attack Impersonates Bank of Valletta”. Another good resource is this article by The Hacker News that talks about homograph attacks.