Blog | Digital Risk Protection

How One Letter Renders Phishing Emails Undetectable

Written by Andre Luiz R. Silva | Dec 3, 2019 7:52:19 PM

If you have been paying close attention, you’ll know that we’ve recently been discussing spear phishing, a kind of fraud that uses email sent directly to a specific person or group, and also about scams that show look-alike URLs to deceive the visitor. To make matters worse, however, we see evidence now that these two tactics are becoming intertwined. A study by Offensity showed that hidden characters in some senders’ domains are not detected by the foremost webmail services!

 

More phishing emails, with greater sophistication!


The entire Offensity study was carried out using a domain registration that used Unicode characters, which are characters that are not in the alphabet of Latin-based languages (such as ours). 

In cybersquatting scams (the ill-intentioned registration of similar domains), Unicode characters are generally taken from the Cyrillic alphabet, which is used for languages such as Russian. The heck of it is that when shown in the correct form (without viewing errors), those letters can be identical to letters in the Latin alphabet.

To carry out this email test, Offensity personnel registered a domain with the name а1.digital. At first glance, there’s nothing strange about it, right? Well, the first “a” in this domain actually comes from the Cyrillic alphabet. When read “incorrectly,” adapted to our alphabet, it appears like this:

xn--1-7sb.digital

Totally different, right? This system of character conversions that cannot be read in the Roman system/alphabet has been dubbed punycode. However, the big issue here is that very few places can make that conversion—in others, the “a” will appear normally as a character that is nearly identical to that of the Latin alphabet. 

So, you can imagine the countless possibilities in so many other domains that could confuse a person (even the most experienced in digital security!) regarding the authenticity of content. The most obvious route for a cybercriminal is, therefore, to create phishing schemes for capturing sensitive data, such as logins, passwords and credit card numbers.

 

The problem “punycode” represents for the primary webmail services


To test which emails did not display the punycode characters to the user (making him or her vulnerable to phishing scams), Offensity tested email sends and the message reply options on seven different products: Outlook (desktop and mobile), Office 365 Web, Gmail (web and mobile), Apple Mail (for iPhone) and Thunderbird (Mozilla).

Only Outlook’s mobile version and Apple Mail for iPhone showed the punycode’s genuine appearance when receiving and replying to the recipient that was using the created domain. Gmail’s web version was the only one that went half-way, unmasking the problem only when “reply” was clicked.

What, then, does all this tell us? These test results, if we do the math, show that the probability that a given user of the leading webmail services can successfully discern that the domain is falsified is only 35.7%.

 

What’s the best strategy to avoid Unicode deception?


Well, to avoid getting snagged by Unicode domains with fraudulent intentions, you need a sharper eye. Now that you know these dangers exist—and since knowledge is power—perhaps it would be a good idea to see how these characters are obtained. As easy as it is for a fraudster to get a Cyrillic character via a Google search, the reverse direction is also easy.

On a site such as Punycoder you can insert characters and phrases (or an entire text, if you’d prefer) that were written in Unicode so that they appear with the notorious “xn--” in front. But this should be the responsibility of the webmail services, as it would clearly be difficult for a user to insert all email domains received into an external “verifier,” right?


The final solution: Brand and domain protection

That’s right! A company’s good, old-fashioned concern for what’s being said or done regarding their brand must also embrace new technologies (and the cybercriminals’ updates). Considering the Unicode problems, domain monitoring is a good and necessary strategy for companies wishing to protect their reputation online.

Here’s how it works: You find a solution and/or a monitoring product that includes strategic planning for Unicode functions, and then just wait for the alerts to come the moment a domain similar to that of your brand, with any change of characters, is registered. A suggestion? Find out about our solution for Similar domain names and see what we can do for you.

 

Meet Polaris, Axur's Latest AI Solution for Cybersecurity

Polaris, our cyber intelligence platform, sets new standards in security with precise alerts tailored to your attack surface map. Its comprehensive, real-time view of global threats simplifies cybersecurity management while uncovering hidden patterns shaping the evolving threat landscape. Curious about how Polaris can transform your security strategy? Experience the power of proactive intelligence today.