'Homoglyph' is the new buzzword in phishing
Cryptocurrencies and the fintech sector are prime targets
Visually similar characters, known as homoglyphs, are the latest focus for cyber-criminals, who have started extorting cryptocurrency with the help of homoglyph-based domain names. That's the headline from the latest cybersecurity report published by Slovakian security firm ESET. The report confirms our own research observation that, around the world, malicious domain names are still widely used for phishing, spamming and other forms of cybercrime.
What's a homoglyph?
Anyone who 's ever copied a password from a paper document will be familiar with the problem: is that a 0 (zero) or an O (capital letter 'o')? Characters that have different meanings but look alike are known as homoglyphs. And they're very popular with cybercriminals. The reason: they can be used to create domain names that, at a glance, look like the domain names of legitimate organisations. The attraction for scammers is that, if a homoglyph-based domain name includes enough characters that are different from the legitimate name it resembles, it won't get flagged up by semantic detection systems.
Example
Many security applications detect fraudulent domain names by using a 'Levenshtein algorithm', which checks how many characters in a scanned name differ from the brand name or company name the application is intended to protect. For example: 'coolbue' is one character different from 'coolblue', whereas 'C00IbIue' (where the letters 'l' and 'o' are replaced by capital 'i's and zeros) is four characters different. That four-character difference will lead a computer to read 'C00IbIue' as a totally different name. Thankfully, most detection systems, including SIDN BrandGuard, are able to recognise homoglyphs and therefore do flag up homoglyph-based malicious name domain names.
How big is the problem in .nl?
In the Netherlands, the scope for using homoglyphs to imitate legitimate domain names is limited. One important reason is that the Dutch alphabet consists almost entirely of standard ASCII characters. Another is that .nl domain names aren't allowed to include special characters (known as IDNs). In many other countries, things are different. In Scandinavia, for example, use of the letter Ø means opportunities for scammers. While in the US letters from the Spanish alphabet are often used to mimic domain names.
Cryptocurrencies and the fintech sector are prime targets
One notable development observed over the last six months is a marked upturn in the use of homoglyphs to imitate newish startups in the financial services sector. Fintech companies involved with cryptocurrencies have attracted particular attention, with blokchain.com and binance.com both among the three most imitated domain names (alongside apple.com). Globally, the number of dubious registrations associated with the sector increased six-fold on the second half of 2019. However, it looks as if the trend may already have peaked. Sharp drops in the value of Bitcoin and other cryptocurrencies in May have apparently reduced the incentive, at least for now.
Media brands also attract scammers
Another takeaway from the ESET report is confirmation that scammers are increasingly targeting media brands. Cyber-criminals cash in on the brands' popularity to mount indirect attacks. For example, they'll register a domain name that looks as if it belongs to a popular news outlet, then plant a fake story about a big company with a link to a malicious webpage faking the company's house style. ESET highlights one such scam surrounding the New York Times. The tactic enables them to take advantage of the media title's profile in order to defraud customers of the brand without needing a domain name that would attract the brand owner's attention.
