Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.
Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.
Recently, cybercriminals engaged in SMiShing campaigns started using Punycode (a technique also known as homograph attack) to deceive users into believing they are accessing a legitimate link. Specifically, the attackers replace one or more characters in the URL with similar-looking characters that are represented differently in Punycode.
Attacks leveraging Punycode are not new and have been targeting Office 365 business users and Chrome and Firefox users, but only recently they started occurring more frequently in text message attacks.
SMiShing has been on the rise since the beginning of the year, and the adoption of new techniques clearly make it an important threat.
The use of Punycode as part of SMiShing campaigns increases the chances for successful compromise, as mobile phone users are unlikely to notice the modified URL.
In one of the observed incidents, the unsuspecting user received a WhatsApp message pretending to be a link to a Jet Airways offer of free air tickets. Although looking like the actual jetairways.com website, the link was using a homograph attack, thus getting the user to xn-jetarways-ypb.com instead.
If the link is accessed on an iPhone, Safari attempts to load the phishing website without displaying the correct link. Chrome on Android, however, displays the correct link (shows the URL in Punycode format) instead.
“The Web browsers decide whether to display the IDN or Punycode format based on conditions like the presence of certain characters which can spoof the separators like "." or "/", determining whether all characters come from same language, if characters belong to allowable combinations or by checking if the domain belongs to whitelisted TLDs,” Zscaler explains.
The domain used as part of the observed attack was newly registered, within the last two weeks, the researchers say. They also note that, after being served the phishing page, victims are redirected to another domain, newuewfarben[.]com, which can be used to serve malware.
“SMiShing has been on a rise in year 2018 and the addition of homograph technique will continue to make it more effective against unsuspecting mobile users. Web browsers have implemented protections against homograph attacks, but because of the legitimate use of Punycode characters, it becomes very difficult for the developers to implement a foolproof fix. Attackers leverage this to work around the rules and create homographs which are displayed as IDNs despite being malicious in nature,” Zscaler concludes.
Cross-posted with grateful acknowledgement to SecurityWeek.
Wouldn't it be great if your users had a way to "roll back time" when they forgot to think before they click on a bad link? Now they can!
We are excited to announce Second Chance, a brand-new security tool for the Outlook email client that you can download and deploy at no cost.
Second Chance enables your user to make a smarter security decision by giving them a way to back out of a click that could be in a phishing email. It takes an intelligent look at the clicked URL in email, and asks your user if they are sure they want to do this, in case they clicked on a potentially unsafe or an unknown website. It even prompts your user when they click on a Punycode link!
You might ask: "What happens if my user continues or aborts their action?" If they choose to abort their action, the prompt will be closed, and the URL will not be opened. If they choose to continue, their browser will navigate to the URL they clicked on.
Here's how it works:
- Checks links originated in email messages, including attached Office Docs and PDFs
- Ability to customize the message your user gets after clicking a URL
- You can set "No Prompt" domains
- Get reporting data on what URLs users chose to abort or continue
There are more technical details on our support site.
Second Chance could one day be the difference between a ransomware infection and a free weekend. Give it a try!
PS: Don't like to click on redirected buttons?
Cut & Paste this link in your browser: https://www.knowbe4.com/second-chance