Microsoft has taken legal action to shut down eighteen domains that were being used in business email compromise (BEC) attacks. The sites in question used homoglyphs to impersonate Microsoft websites. Homoglyphs are characters that visually resemble other characters, like the Cyrillic “Н” and the Roman “H,” but which in fact are distinct, and are so coded.
“These malicious homoglyphs exploit similarities of alpha-numeric characters to create deceptive domains to unlawfully impersonate legitimate organizations,” the researchers write. “For example, a homoglyph domain may utilize characters with shapes that appear identical or very similar to the characters of a legitimate domain, such as the capital letter “O” and the number “0” (e.g. MICROSOFT.COM vs. MICR0S0FT[.]COM) or an uppercase “I” and a lowercase “l” (e.g. MICROSOFT.COM vs. MlCROSOFT[.]COM). We continue to see this technique used in business email compromise (BEC), nation state activity, malware and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks.”
Microsoft explained that the domains were used in BEC attacks to trick employees into believing that they were heading to a Microsoft site.
“In this instance, the criminals identified a legitimate email communication from the compromised account of an Office 365 customer referencing payment issues and asking for advice on processing payments,” the researchers write. “The criminals capitalized on this information and sent an impersonation email from a homoglyph domain using the same sender name and nearly identical domain. The only difference between the genuine communication and the imposter communication was a single letter changed in the mail exchange domain, done to escape notice of the recipient and deceive them into believing the email was a legitimate communication from a known trusted source.”
Microsoft added that the court order allowed the company to hinder the campaign even if the attackers set up new infrastructure.
“Often, once detected or addressed by Microsoft through technical means, these criminals move their malicious infrastructure outside the Microsoft ecosystem and onto third-party services in an attempt to continue their illegal activities,” Microsoft says. “With this case, we secured an order which eliminates the defendants’ ability to move these domains to other providers. The action will further allow us to diminish the criminals’ capabilities and, more importantly, obtain additional evidence to undertake further disruptions inside and outside court. This disruption effort follows 23 previous legal actions against malware and nation-state groups that we’ve taken in collaboration with law enforcement and other partners since 2010.”
New-school security awareness training can enable your employees to recognize even the subtler ploys used by social engineers.
Microsoft has the story.