Beware 'rnicrosoft.com' and similar sp00fed links in e-mail

I had the privilege of presenting the Live Cyber Attack Demo to a standing-room-only crowd on the morning of the third day of the FOSE conference recently in Washington, D.C. After making introductions, I handed the show off to the experts, who broke down a number of attacks such as phishing and indicated how an organization’s IT staff can detect and stop them.

I found the demonstration to be enlightening, and from all the note-taking and questions, the audience seemed to get a lot out of it as well.

Although the event focused mainly on what can be done to detect and stop attacks at a network level, I noticed that constant vigilance on the part of the user is more important than ever. 


Related stories:

5 ways to avoid getting caught in phishing scams

To hackers, government users are phish in a barrel


I hope we all know by now not to clink on links that look like they are from a legitimate company when a mouse-over will reveal that it’s really some other URL entirely. Likewise, I’m sure we know to steer clear of “self-extracting PDFs” and attached .zip files in e-mails from the “Post Office.”

But some of the things the demo experts — Jonathan Tomek of ThreatGRID and Mischel Kwon and Matt Norris, CEO and chief technology officer, respectively, of Mischel Kwon and Associates — told us made clear that the user has to be, if anything, even more aware of possible threats and proactive in avoiding them.

For instance, they pointed out that a re-trending tactic for phishing, targeted phishing and spoofing attacks is the use of homographs. These are different characters that look alike; using these strategically, a hacker can register a domain name that looks the same as a legitimate one.

Common examples might use a zero instead of the letter “O,” or take advantage of how a lowercase “L” and a capital “I” look the same in many fonts, leading to URLs that look legitimate but take users to malicious sites.

It gets even more complicated when you think about how many domain name servers recognize Internationalized Domain Names and have to treat letters in other character sets as valid. Since many letters in both the Cyrillic and Greek alphabets look identical to Latin characters, a hacker could register an international domain that looks exactly like another. Holding your mouse over the link may reveal the deception if the pop-up font is different enough from the one use in the link text.

This trick has been in the hacker arsenal for a while now. But it tends to cycle in popularity with attackers, and each time it comes back they get more and more clever. I was talking with Tomek after the session, and he brought up a disturbing example. He told me that, since the lowercase letters “r” and “n” together appear similar to the lowercase “m” in most fonts, one of his colleagues had registered the domain “rnicrosoft.com.”

While I’m glad that this domain is owned by one of the good guys, it highlights the fact that no user can let their guard down.

So, please, as always, think before you click!

About the Author

Greg Crowe is a former GCN staff writer who covered mobile technology.

Reader Comments

Fri, Apr 13, 2012 Editor

Editor's note: For some examples, IDN News provides a breakdown of homograph attacks here: http://www.idnnews.com/?p=9459. Microsoft offers advice of how to avoid spoofed links here: http://support.microsoft.com/kb/833786. And there is an overview of IDN homograph attacks on Wikipedia: http://en.wikipedia.org/wiki/IDN_homograph_attack

Fri, Apr 13, 2012 TomQA Mesa, AZ

Can GCN publish or link to an article that shows more homographs, phishing and sp00fing examples? I'm looking for concise information that I can share with my colleagues.

Fri, Apr 13, 2012 Amy Pittsburgh, PA

I agree that homographs are very tricky, and at the pace most people are trying to work, are easily overlooked. However, I think you're giving too much credit to the general population. At Wombat Security Technologies find that 20% - 60% of an employee population will still fall for the most basic phishing attacks. User awareness training is such an important part of every company's info security plan.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above