Microsoft is warning businesses and Internet users worldwide about malicious cyber actors setting up fraudulent domains using the “homoglyph” technique and using these domains to masquerade as genuine entities online.
The software giant recently zeroed in a cyber criminal group operating out of West Africa that has been using homoglyph domains to appear as genuine businesses or individuals in online communications. Glosbe defines homoglyph as “a character identical or nearly identical in appearance to another, but which differs in the meaning it represents.”
Microsoft says the term denotes the exploitation of similarities of alphanumeric characters by cyber criminals to create deceptive domains to unlawfully impersonate legitimate organisations. For example, a malicious actor can make an attempt to impersonate Microsoft[.]com by using “0” instead of “o”. This way, the hacker can make a fraudulent domain appear as MICR0S0FT[.]COM, which looks similar to MICROSOFT[.]COM in upper case.
Similarly, malicious actors can use an uppercase “I” and a lowercase “l” to make a fraudulent domain appear exactly similar to the real one. (e.g. MICROSOFT.COM vs. MlCROSOFT.COM). “We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks,” the company said.
Last week, the company secured a court order in the U.S. against a West Africa-based cyber criminal group that was found using homoglyph domains to target small businesses. Microsoft says the order required domain registrars “to disable service on malicious domains that have been used to impersonate Microsoft customers and commit fraud.”
The criminal organisation, whose identity is yet to be affirmed, registered 17 additional malicious homoglyph domains to primarily target small businesses based in North America. The gang combined the use of homoglyph domains with stolen customer credentials to unlawfully access and monitor accounts.
“In this BEC attack, these fraudulent domains, together with stolen customer credentials, were used by cybercriminals to unlawfully access and monitor accounts. The group proceeded to gather intelligence to impersonate these customers in an attempt to trick victims into transferring funds to the cybercriminals.
“Once the criminals gained access to a network, they imitated customer employees and targeted their trusted networks, vendors, contractors, and agents in an effort to deceive them into sending or approving fraudulent financial payments,” Microsoft said.
Considering the likelihood of hackers moving their malicious infrastructure outside the Microsoft ecosystem and onto third-party services to continue operating, Microsoft says the court order eliminates the defendants’ ability to move these domains to other providers.
The use of malicious homoglyph domains as a tool for online fraud is quite similar to, but not the same as the use of typosquatting domains. Kaspersky describes a typosquatting scam as “a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites.”
“The ‘typo’ in typosquatting refers to the small mistakes people can make when typing on a keyboard. Typosquatting is also known as URL hijacking, domain mimicry, sting sites, or fake URLs,” the firm said. “Users may be tricked into entering sensitive details into these fake sites. For organizations victimized by these attackers, these sites can do significant reputational damage.”