In April last year, security researcher Xudong Zheng discovered vulnerabilities in popular web browsers such as Google Chrome, Firefox, and Opera that allowed hackers to display fake domain names, that mimicked popular websites, on malicious websites they operated. This way, such hackers were able to lure unsuspecting users to their fake websites and used auto-fill forms to obtain users’ e-mail addresses and other details.
Zheng built a demo page to demonstrate the vulnerability. He registered a new domain using foreign characters like “xn--pple-43d.com” which translated to apple.com on the website. He called this a ‘homograph attack’ which is also known as script spoofing. In security parlance, the attack is defined as ‘a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.’
1 in 4 domains using non-English character sets are fake
Even though Google fixed the vulnerability in Chrome browser by introducing a new update named Chrome 58, a new report from security firm Farsight Security has revealed that as many as 27 percent of 100 million domain names that feature non-English character sets to make browsing easier for non-English speaking users, have been created by fraudsters with an intention to deceive users and to generate clicks fraudulently.
The use of non-English character sets in malicious websites by fraudsters is so precise that Internet users are unable to distinguish between genuine websites and script-spoofing ones. Many such websites use non-English character sets to mimic domains of banks, children’s brands, and loan advisors.
“Any lower case letter can be represented by as many as 40 different variations,” said Paul Vixie, the founder of Farsight Security to BBC. During its research, Farsight Security came across more than 8,000 non-English characters that are being used by scammers to defraud Internet users either to generate clicks or to target them with malware.
“Phishing scams are far from new, but the twist of embedding foreign characters with subtle differentiations to English language ones to draw customers to phishing sites is an interesting twist,” said Robert Capps, VP at NuData Security to TEISS News.
“It shows that hackers are constantly evolving and chasing new tactics to lure customers into surrendering their personal and payment data. As Farsight Security pointed out, mobile is a more successful channel because the small differences are harder to find on a small screen, making subtle variations far more difficult to perceive immediately.
How to avoid script-spoofing domains?
He added that in order to defeat the scam being perpetrated by fraudsters behind such script-spoofing domains, merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and are incorporating multi-layered solutions with passive biometrics and behavioral analytics.
“These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information. The hundreds of subtle nuances in customer behavior – together with many other factors such as device identity – create a dynamic user profile that bad actors can’t mimic. Moreover, behavioral data obfuscates much of what would attract bad actors seeking to steal and sell or reuse customer data,” he added.
According to Zheng, Internet users can avoid visiting script-spoofing domains by typing the URL manually or by navigating to a genuine website via a search engine when in doubt. This is because the scam can even fool those who are extremely mindful of phishing, he wrote in a blog post.