A successful phishing attack uses trickery to fool unwitting suspects into revealing personal details or clicking a malicious link. The complexity of phishing attacks has gone from strength to strength over the years, too. And while the simple email with a fake company logo still works, scammers are going to greater lengths to implement their scams.
The latest play from the phishing scammers book is the URL spoof—a lookalike URL posing as one that you usually trust. But how does a scammer make their URL look the same? And how can you avoid being caught out? Let’s take a look.
International Domain Names: A Very Brief History
To understand how a scammer spoofs a URL, you need to understand a little more about how domain names work.
Until 2009, URLs could only comprise of the Latin letters a to z, without accents, glyphs, or any other symbols. The Internet Corporation for Assigned Names and Numbers (ICANN), a non-profit organization that maintains vital databases intrinsic to the internet functioning, changed this system. internet users were now able to register URLs using a vast range of alternative scripts, including Greek, Cyrillic, and Chinese, as well as Latin characters containing accents and more.
There is a good reason for this change. As the internet expands, so the demographics of its user’s change. For instance, from 2009 to 2017, the number of internet users in North America grew from 259 million to 320 million, a 23-percent increase. At the same time, the number of internet users across Asia grew from 790 million to 1.938 billion, a 145-percent increase.
As the North American and a large proportion of the European market heads towards saturation, the rest of the world is only just coming online, and it is those languages and alphabets which are shaping the direction of the internet.
Scripts Allow URL Spoofing
The introduction of a wide range of new scripts to the URL domain registration was a new attack avenue for scammers. Also known as a homographic domain name attack, scammers register URLs using non-Latin characters that look exactly the same as their regular counterparts.
Let’s use the makeuseof.com URL as an example. The regular URL uses standard Latin characters. But we can make some incredibly subtle changes to the URL using non-standard characters. In fact, this time around, makeuseof.com is written entirely differently. How?
I replace the Latin “a” (U+0041, the character’s Unicode identifier) with an “a” (U+0430) from the Cyrillic alphabet, and the Latin “o” (U+006F) with the small Omicron (U+03BF) from the Greek alphabet. Notice the difference? Of course not. And that’s precisely why URL spoofing works. The introduction of homographic (visually similar) letters to the original URL allows a potential scammer to register the makeuseof.com URL.
Combine the fake URL with a stolen HTTPS certificate and a scammer can impersonate the very site you’re reading this article on (wait… is this the real site?).
The makeuseof.com URL is an excellent example because it has two homographic characters. At other times scammers substitute similar letters that also include accents, glyphs, diacritics, and more. Let’s use the makeuseof.com URL again, but this time using a wider-range of substitute characters.
To illustrate the point I’ve included some pretty obvious character modifications in the above example. This is how our fake URL looks in the Google Chrome Omnibox, too.
Stands out, right? If the URL appears as a link in an email, some users won’t catch the difference. The same can be said for the browser status bar that previews the URL you’re about to click. It is small and somewhat out of sight, so you might not notice a URL with subtler differences than our example.
You don’t have to become a victim. Some modern browsers are already taking steps to stop users visiting URL lookalike sites. Chrome, Safari, Opera, and Microsoft Edge all have mitigations in place.
Brian Krebs’ site has a great example of this mitigation tactic, where an inconspicuous-but-fake version of ca.com actually resolves to xn--80a7a.com.
This translation is known as “Punycode,” and many browsers use this special encoding format to provide direct protection against homograph phishing attacks. Punycode essentially locks the browser character set to a basic ASCII set containing a-z, A-Z, and 0-9 (also known as the LDH rule, for Letters, Digits, Hyphens).
Want to see how your website shapes up? Check out this domain checker that Hold Security developed. Pop your domain and corresponding top-level domain (such as .com or .org) into the search, and off you go. Luckily for us, there are no makeuseof.com impersonators on the internet—but there are 186 possible variations if someone did want to mimic the site.
Internationalized domain name homograph phishing attacks aren’t all that new. They’re increasing in notoriety because scammers are making better use of their available toolset. The homograph attack is actually very similar to another domain phishing scam: typosquatting.
Typosquatting is the practice of registering a slew of commonly misspelled domain names and hosting malicious content or a fake login portal for unsuspecting users. For instance, how many times have you rapidly typed “Amozon” or “Facebok?” Actually, larger sites like this sometimes account for misspellings, and you’ll end up at the right place… most of the time. You should remain vigilant, though.
Staying Secure and Avoiding Spoofed URLs
Spotting a doctored or tampered URL comes with its own set of difficulties. Moreover, if the malicious URL has a “legitimate” HTTPS certificate, it makes detection that bit harder. But you don’t have to struggle alone.
As previously mentioned, your browser attempts to mitigate this issue already by forcing all URLs to adhere to Punycode. Outside the browser, however, you’re more or less flying solo—but here are a few tips, nonetheless.
- Emails: Don’t click links within emails. You should always double check where the link you’re about the click is taking you, even if it is from someone you trust.
- Email client: Depending on your email client, you might have the option to disable links within incoming emails completely; alternatively, increasing the junk-filter level will remove a significant amount of incoming malicious mail.
- Link check: Use a link checker if you’re unsure. For instance, you receive a suspect link via email. Instead of clicking it, copy and paste it into one of these five-link checkers to validate it. The same goes for your social media accounts.
- Social media: Similar to your email, don’t just click on any link that pops up on your feed.
- Browser: Keep your browser up to date. An update to Chrome and Firefox in 2017 suddenly altered the Punycode encoding process and made both browsers temporarily vulnerable to a homograph attack.
And, as ever, education as to the myriad security threats we face online is the best mitigation tactic of all. Once you start to notice some of the more obvious malicious online activities taking place around you, you’re immediately working much safer.