Website domains can use homographic characters to create very hard-to-spot phishing URLs, Threatpost reports. Cybersecurity researcher Avi Lumelsky demonstrated how easy it is to create one of these domains using the symbol “ɢ” instead of the ASCII character “G” to set up fake Google domains. Lumelsky was able to register ɢoogle.company, ɢoogle.email, ɢoogle.tv, ɢoogle.life, ɢoogle.live, ɢoogle.news, and ɢoogletranslate.com.
He posted links to his sites on security-focused subreddits and showed that these domains were able to fool even some technically-minded people. While some platforms display the “ɢ” as “xn--,” Lumelsky noted that on mobile devices, the “ɢ” looks much the same as a regular “G.” Additionally, on every platform, the link preview is identical to the real Google site’s preview.
“Eventually, without much work, I ended up with hundreds of unique visitors (excluding the bots and security scanners or the platforms in which I posted),” Lumelsky said. “It looks and acts just like any google single-page application.”
Lumelsky explained that this technique could be used in phishing campaigns as well as for man-in-the-middle attacks.
“I am making the SSL handshake with the user,” he said. “The original Google application is served, it functions as expected, but I am exposed to the user’s traffic with the domain. Therefore, I can change the body of Google’s response.”
Fortunately, since Lumelsky is a white-hat researcher, he didn’t use these sites for anything malicious. However, criminals can use the same techniques to trick people into handing over their credentials and other sensitive information.
New-school security awareness training can teach your employees to be wary when they follow a link to a website, even if they don’t spot any easily visible warning signs.
Threatpost has the story: https://threatpost.com/convincing-google-impersonation-opens-door-to-mitm-phishing/153745/