What does homoglyph attack and typo-squatting mean?

21. August, 2020

Cautious Internet users are familiar with the widespread recommendations: Pay attention to encrypted data transfer, do not click on unauthorized links and only surf only to known, trustworthy addresses. Unfortunately, potential attackers are also aware of these tips and try to find the weak points of the recommendations. Sometimes these can be found in the smallest details, for example, when users rely on valid encryption but do not have enough control over which page you are on.

An A for an O: similar or identical looking characters

Homoglyphs are different signs, which can easily be mistaken for each other because of their appearance. In the simplest case, these are for example the letter O and the digit 0 or the capital I and the small l. Very popular is also the exchange of the “g” with q, because especially our brain tries to correct this visual error “automatically” in case of longer names. Multi-letter homoglyphs are also popular, e.g. “rn” instead of “m”. In more complex scenarios homoglyphs can also be created using different alphabets and special characters.

These alternative combinations are particularly difficult to see on small screens and in everyday stress, pressure and hectic situations. The actually false names are easily mistaken for the well-known original when viewed superficially.

Homoglyphs in phishing and other scams

Attackers like to combine different tricks and techniques. Emails or even chat messages from frequently used trusted services are faked and links with prepared domain names and URLs are provided. An important message is announced to the user, a voucher is promised or an error in an online order or invoice is faked. The more realistic the scenario, the faster the stress level rises – and the exact checking of the message may be forgotten.

Invitations to video meetings are also very popular at the moment and have been appropriately prepared. When clicking on the deceptively real-looking address, the wrong website is accessed – naturally with a “correct” certificate in the background, so that the browser displays a correctly encrypted connection. This combined type of fraud is also known as “typo-squatting”.

Continuous optimisation makes recognition more difficult

Up to now, homoglyph attacks have been a major obstacle: The user had to be trapped on the fake website and reveal confidential information. However, current campaigns are much more creative. If falsified fake sites are still often recognizable by inconsistencies and errors, in the case of sophisticated attacks only a small JavaScript is fetched from the fake site. The “skimmer code” contained there exploits a current security hole to reload a different routine. Immediately afterwards the web browser is redirected to the correct page in order not to cause suspicion. The infiltrated malicious code now attempts to collect user and payment data in the background and transfer it to an external site.

Since no fake pages have to be built and maintained anymore, these attacks can now be generated automatically for many different services and pages. Thus it could be observed with different groups and attacks. [1] IKARUS already warned of attacks with homoglyphs in connection with Emotet.

What precautions should be taken?

As always, users should be especially careful when emails or other messages with too good news, gifts, or possibly strange information about invoices or orders are received. Examine possible irregularities skeptically: Where does the contact get my work address, for example, if I always place my online orders using my private address?

In addition to raising the awareness of employees, URL filtering with appropriate security software helps. The safest way is not to click on links at all, but to enter the desired URLs manually into the web browser.