Even if you check the URLs for links in e-mail and other messages, you could still be fooled by homographs.
I had the privilege of presenting the Live Cyber Attack Demo to a standing-room-only crowd on the morning of the third day of the FOSE conference recently in Washington, D.C. After making introductions, I handed the show off to the experts, who broke down a number of attacks such as phishing and indicated how an organization’s IT staff can detect and stop them.
I found the demonstration to be enlightening, and from all the note-taking and questions, the audience seemed to get a lot out of it as well.
Although the event focused mainly on what can be done to detect and stop attacks at a network level, I noticed that constant vigilance on the part of the user is more important than ever.
I hope we all know by now not to clink on links that look like they are from a legitimate company when a mouse-over will reveal that it’s really some other URL entirely. Likewise, I’m sure we know to steer clear of “self-extracting PDFs” and attached .zip files in e-mails from the “Post Office.”
But some of the things the demo experts — Jonathan Tomek of ThreatGRID and Mischel Kwon and Matt Norris, CEO and chief technology officer, respectively, of Mischel Kwon and Associates — told us made clear that the user has to be, if anything, even more aware of possible threats and proactive in avoiding them.
For instance, they pointed out that a re-trending tactic for phishing, targeted phishing and spoofing attacks is the use of homographs. These are different characters that look alike; using these strategically, a hacker can register a domain name that looks the same as a legitimate one.
Common examples might use a zero instead of the letter “O,” or take advantage of how a lowercase “L” and a capital “I” look the same in many fonts, leading to URLs that look legitimate but take users to malicious sites.
It gets even more complicated when you think about how many domain name servers recognize Internationalized Domain Names and have to treat letters in other character sets as valid. Since many letters in both the Cyrillic and Greek alphabets look identical to Latin characters, a hacker could register an international domain that looks exactly like another. Holding your mouse over the link may reveal the deception if the pop-up font is different enough from the one use in the link text.
This trick has been in the hacker arsenal for a while now. But it tends to cycle in popularity with attackers, and each time it comes back they get more and more clever. I was talking with Tomek after the session, and he brought up a disturbing example. He told me that, since the lowercase letters “r” and “n” together appear similar to the lowercase “m” in most fonts, one of his colleagues had registered the domain “rnicrosoft.com.”
While I’m glad that this domain is owned by one of the good guys, it highlights the fact that no user can let their guard down.
So, please, as always, think before you click!