Fraudsters using non-English character sets to create millions of phishing sites

Fraudsters using non-English character sets to create millions of phishing sites

Microsoft foils domain-spoofing campaign orchestrated by Fancy Bear

In April last year, security researcher Xudong Zheng discovered vulnerabilities in popular web browsers such as Google Chrome, Firefox, and Opera that allowed hackers to display fake domain names, that mimicked popular websites, on malicious websites they operated. This way, such hackers were able to lure unsuspecting users to their fake websites and used auto-fill forms to obtain users’ e-mail addresses and other details.

Zheng built a demo page to demonstrate the vulnerability. He registered a new domain using foreign characters like “” which translated to on the website. He called this a ‘homograph attack’ which is also known as script spoofing. In security parlance, the attack is defined as ‘a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike.’

1 in 4 domains using non-English character sets are fake

Even though Google fixed the vulnerability in Chrome browser by introducing a new update named Chrome 58, a new report from security firm Farsight Security has revealed that as many as 27 percent of 100 million domain names that feature non-English character sets to make browsing easier for non-English speaking users, have been created by fraudsters with an intention to deceive users and to generate clicks fraudulently.

The use of non-English character sets in malicious websites by fraudsters is so precise that Internet users are unable to distinguish between genuine websites and script-spoofing ones. Many such websites use non-English character sets to mimic domains of banks, children’s brands, and loan advisors.

“Any lower case letter can be represented by as many as 40 different variations,” said Paul Vixie, the founder of Farsight Security to BBC. During its research, Farsight Security came across more than 8,000 non-English characters that are being used by scammers to defraud Internet users either to generate clicks or to target them with malware.

“Phishing scams are far from new, but the twist of embedding foreign characters with subtle differentiations to English language ones to draw customers to phishing sites is an interesting twist,” said Robert Capps, VP at NuData Security to TEISS News.

“It shows that hackers are constantly evolving and chasing new tactics to lure customers into surrendering their personal and payment data. As Farsight Security pointed out, mobile is a more successful channel because the small differences are harder to find on a small screen, making subtle variations far more difficult to perceive immediately.

How to avoid script-spoofing domains?

He added that in order to defeat the scam being perpetrated by fraudsters behind such script-spoofing domains, merchants and financial institutions are moving past the user’s personally identifiable information (PII) as a way to authenticate them and are incorporating multi-layered solutions with passive biometrics and behavioral analytics.

“These technologies thwart the reuse of data by fraudsters and, instead, verify users based on their behavioral information. The hundreds of subtle nuances in customer behavior – together with many other factors such as device identity – create a dynamic user profile that bad actors can’t mimic. Moreover, behavioral data obfuscates much of what would attract bad actors seeking to steal and sell or reuse customer data,” he added.

According to Zheng, Internet users can avoid visiting script-spoofing domains by typing the URL manually or by navigating to a genuine website via a search engine when in doubt. This is because the scam can even fool those who are extremely mindful of phishing, he wrote in a blog post.

Copyright Lyonsdown Limited 2021

Top Articles

Venari Security raises funding to fight encrypted traffic threat

Venari Security has raised series A funding to help organisations fight back against rapidly growing encrypted traffic threat.

Hackers are using hacked Chipotle email account to steal your passwords

Hackers have reportedly taken control of an email marketing account used by the Chipotle food chain and are using the account to fool Internet users to share their personal information…

Hackney Council exposed personal details of vulnerable citizens online

Hackney Council committed an IT blunder that publicly exposed the names and addresses of women placed in temporary accommodation for their own safety.

Related Articles

[s2Member-Login login_redirect=”” /]