scams – Hacker Security https://hackersecurity.io Pontifications on Infosec, Intelligence, and Technology Tue, 03 Dec 2024 18:42:58 +0000 en-US hourly 1 https://i0.wp.com/hackersecurity.io/wp-content/uploads/2020/11/cropped-pngwing.com_.png?fit=32%2C32&ssl=1 scams – Hacker Security https://hackersecurity.io 32 32 194873703 Homographic Attacks: A Subtle Cyber Threat https://hackersecurity.io/scams/phishing/homographic-attacks-a-subtle-cyber-threat/ Tue, 03 Dec 2024 18:42:54 +0000 https://hackersecurity.io/?p=1059 In an era where the internet is a foundational part of daily life, cyber criminals continue to refine their insidious methods to exploit vulnerabilities, even if that vulnerability is in the human mind. One such cunning tactic is known as a homographic attack. Though lesser-known than the broader category of phishing—and, perhaps, less sexy than Jonny Lee Miller and Angelina Jolie Hacking the Planet—this type of attack has proven to be a significant threat, especially as it targets the human element—my favorite—of cybersecurity.

What does “Homographic” Mean?

The word homographic has its origins in the study of Linguistics, one of my own favorite areas of nerdery. Merriam-Webster defines it as “one of two or more words spelled alike but different in meaning or derivation or pronunciation (such as the bow of a ship, a bow and arrow).” A more modernized, cybersecurity-appropriate definition would also include the use of Unicode characters from different languages specifically because they can be easily mistaken for similar-looking characters in English.

What Are Homographic Attacks?

A homographic attack exploits the visual similarities between characters used in domain names to deceive users. These attacks are a form of typosquatting (e.g., purchasing domain names with deliberate misspellings to catch when users fat-finger a URL) or URL spoofing and rely on the fact that humans often scan text quickly, trusting their eyes to recognize familiar patterns.

For example, a criminal might register a domain like g00gle.com where the number “0” is used in place of the letter “o.” To an untrained eye, this domain may appear identical to Google’s legitimate site. This deceptive domain can then be used to trick users into revealing sensitive information, downloading malware, or performing other harmful actions. To make the scame even more difficult to detect, threat actors may choose to use letters from another alphabet (e.g., Russian Cyrillic). To the cursory glance, the URL google.com looks absolutely identical to gооgle.com. The only difference is that the first one is genuine, while the “oo” in the second one is using Cyrillic. As you can likely see, they’re nearly impossible to distinguish.

How Do Homographic Attacks Work?

Homographic attacks are commonly executed using Internationalized Domain Names (IDNs). These IDNs allow non-Latin Unicode characters, enabling cyber criminals to create domains that appear visually identical to legitimate ones by substituting lookalike characters from different scripts. For example:

  • The Latin “a” (a) might be replaced with the Cyrillic “а” (а)—both look the same but have different Unicode representations.
  • A domain like paypal.com could become раураl.com (using Cyrillic characters).

Attackers register these deceptive domains and use them for malicious purposes, such as:

  1. Phishing Scams: Tricking users into entering credentials or personal information.
  2. Malware Distribution: Hosting malicious files that users download, believing the site is legitimate.
  3. Man-in-the-Middle Attacks: Intercepting and modifying communication between the user and the intended site.

Real-World Examples

Homographic attacks have targeted high-profile brands and users globally:

  • 2017 IDN Attack: A researcher demonstrated how a fake apple.com domain using Unicode characters could be indistinguishable from the original in certain browsers.
  • Cryptocurrency Scams: Fake wallet sites with lookalike domains have siphoned funds from unsuspecting users.

Protecting Yourself from Homographic Attacks

  1. Be Vigilant with URLs: Always verify the URL in your browser’s address bar, especially before entering sensitive information. Don’t click. Copy and paste into the browser and verify whether what comes up looks legitimate or like nonsense. The above gооgle.com (fake, using Cyrillic) comes up in my browser as https://xn--ggle-55da.com/, a dead giveaway for a homographic attack.
  2. Use Modern Browsers: Updated browsers often detect and flag suspicious IDNs.
  3. Enable URL Preview: Hover over links before clicking to see the actual destination.
  4. Educate and Train: Awareness is a powerful defense. Organizations should train employees to recognize homographic threats. Make sure less-savvy family members know about this and are aware of how to mitigate the risk of such attacks (i.e., send them this post!).

Countermeasures for Organizations

  • Domain Monitoring: Regularly check for domains that mimic your brand.
  • Browser Configuration: Configure browsers to display punycode (the ASCII representation of IDNs), which exposes Unicode characters (e.g., München [the German name for Munich] would be rendered as Mnchen-3ya, making the attempted attack more obvious.
  • Legal Action: Work with domain registrars to take down malicious domains.
  • Secure Communications: Use HTTPS and verify digital certificates to ensure connections are authentic.

Conclusion

Homographic attacks underscore the need for individual vigilance and a layered approach to cybersecurity. By understanding the subtlety of these attacks and implementing proactive defenses, both individuals and organizations can reduce their risk of falling victim. Cybersecurity is a shared responsibility—stay informed, stay alert, and stay secure.

]]>
1059
PayPal Scam Alert https://hackersecurity.io/scams/paypal-scam-alert/ https://hackersecurity.io/scams/paypal-scam-alert/#respond Tue, 08 Nov 2022 15:57:34 +0000 http://hackersecurity.io/?p=1014 Early this morning, as I was going about my usual morning routine, I received an email from service@paypal.com indicating that I had an outstanding payment due. Being the untrusting sort of fellow that I am, I checked the email headers and it did appear to come from the authentic PayPal. Now, considering I had neither purchased anything nor sent money through PayPal in about a week, my usual untrustingness elevated.

I immediately went to PayPal’s website and verified that, indeed, I had a seemingly legitimate invoice waiting for me to pay, replete with the warning: “Your checking account on file will be charged automatically (for $2,689.00, no less) on November 8th, 2022. If you didn’t make this transaction, please contact PayPal Customer Support at 888-449-1898.”

Seems simple enough. Call customer support and get it canceled, right? However, this blurb was in the Seller note to customer box. Also… that isn’t PayPal’s customer support number.

Note above that the “invoice” is from “Deborah Thompson” (clearly a totally real and absolutely not made up fake name).

Note here that “Deborah” had suddenly become “Best Buy.”

Also note “Invoice #0015.” How lucky to have gotten such a low invoice number from “Best Buy,” especially considering they’ve probably sold a million electronic gizmos and doodads this morning alone.

Also also note that, despite the linguist in me noting that the writing suggests being penned by a native English speaker, there is a space missing in the cost field between the x and the $: 1 x$2,689.00. Another bit of suspiciousness that might suggest a copy/paste job.

To PayPal’s credit, their website informed me that I could ignore the invoice, as the automatic payment nonsense was input by the seller scammer.

It is my sincere hope that you have Googled or (Duck-Duck-Go’d) the phone number or akin to “PayPal scam” and, perhaps, found your way to this warning, and that the information here helps you to avoid getting duped out of your hard-earned money.

And I also hope that (the real) Best Buy ups their anti-fraud game and that the FBI finds “Deborah” and buries “her” up to the duodenum in a fire ant hill.

]]>
https://hackersecurity.io/scams/paypal-scam-alert/feed/ 0 1014