Fraudsters using non-English character sets to create millions of phishing sites

Fraudsters using non-English character sets to create millions of phishing sites

Microsoft foils domain-spoofing campaign orchestrated by Fancy Bear

In April last year, security researcher Xudong Zheng discovered vulnerabilities in popular web browsers such as Google Chrome, Firefox, and Opera that allowed hackers to display fake domain names, that mimicked popular websites, on malicious websites they operated. This way, such hackers were able to lure unsuspecting users to their fake websites and used auto-fill forms to obtain users' e-mail addresses and other details.

Zheng built a demo page to demonstrate the vulnerability. He registered a new domain using foreign characters like "" which translated to on the website. He called this a 'homograph attack' which is also known as script spoofing. In security parlance, the attack is defined as 'a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.'

1 in 4 domains using non-English character sets are fake

Even though Google fixed the vulnerability in Chrome browser by introducing a new update named Chrome 58, a new report from security firm Farsight Security has revealed that as many as 27 percent of 100 million domain names that feature non-English character sets to make browsing easier for non-English speaking users, have been created by fraudsters with an intention to deceive users and to generate clicks fraudulently.

The use of non-English character sets in malicious websites by fraudsters is so precise that Internet users are unable to distinguish between genuine websites and script-spoofing ones. Many such websites use non-English character sets to mimic domains of banks, children's brands, and loan advisors.

"Any lower case letter can be represented by as many as 40 different variations," said Paul Vixie, the founder of Farsight Security to BBC. During its research, Farsight Security came across more than 8,000 non-English characters that are being used by scammers to defraud Internet users either to generate clicks or to target them with malware.

"Phishing scams are far from new, but the twist of embedding foreign characters with subtle differentiations to English language ones to draw customers to phishing sites is an interesting twist," said Robert Capps, VP at NuData Security to TEISS News.

"It shows that hackers are constantly evolving and chasing new tactics to lure customers into surrendering their personal and payment data. As Farsight Security pointed out, mobile is a more successful channel because the small differences are harder to find on a small screen, making subtle variations far more difficult to perceive immediately.

How to avoid script-spoofing domains?

He added that in order to defeat the scam being perpetrated by fraudsters behind such script-spoofing domains, merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and are incorporating multi-layered solutions with passive biometrics and behavioral analytics.

"These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information. The hundreds of subtle nuances in customer behavior – together with many other factors such as device identity – create a dynamic user profile that bad actors can’t mimic. Moreover, behavioral data obfuscates much of what would attract bad actors seeking to steal and sell or reuse customer data," he added.

According to Zheng, Internet users can avoid visiting script-spoofing domains by typing the URL manually or by navigating to a genuine website via a search engine when in doubt. This is because the scam can even fool those who are extremely mindful of phishing, he wrote in a blog post.

Copyright Lyonsdown Limited 2021

Top Articles

WhatsApp's New Privacy Policy Deadline Has Arrived

At the start of 2021, WhatsApp announced its privacy policy updates, sparking outrage and backlash from its consumers as WhatsApp will share personal information with its parent company, Facebook.

Overcoming the security challenge in remote working environments

The pandemic has changed the way we work. Remote working is no longer a nice-to-have for organisations, but a necessity especially if they want to attract the best talent.

President Biden pens Executive Order to boost US cybersecurity

US President Joe Biden signed an Executive Order this week to boost the cyber security of federal government systems and data.

Related Articles