Scamsters use URL spoofs to evade spam filters

Written by John P Mello Jr on September 16, 2009
gfi005-greek-alphabet

What's English to you may be Greek to your computer.

In their never-ending pursuit to evade spam filters, malevolent mailers have deployed a number of techniques to obfuscate their true intent. One of those techniques is using facsimiles of legitimate brand names in Web addresses to redirect victims to outlaw Internet sites where the scammers can work their mischief on their targets, a practice called spoofing.

Spoofing Web addresses isn’t a new tool in the phishing community’s black bag of tricks, but the introduction of international domain names (IDN) has fertilized the poison fruit of the scam artists.

An IDN is a domain name that contains non-English characters. The rationale behind the idea is a noble one. It’s intended to broaden the appeal of the Web by allowing domains to be registered in theĀ  alphabet of their native countries. However, some of those letters may appear as English characters in a URL, which allows phishers to create phony Web addresses that look exactly like the Real McCoy.

Before IDNs, clever Black Hats played the homograph game by taking advantage of typographic foibles. In some fonts, for instance, zeros (00) look like o’s (OO) so spoofing a domain like google.com as g00gle.com could reap rewards. But with IDNs, there may be no discernible difference to the eye between the two Google addresses, yet one is real, whilst the other is bogus with letters from a foreign alphabet that perfectly emulate the Latin one.

To the user, a Cyrillic ‘o’ looks exactly like a Latin ‘o’ because most fonts don’t make a distinction between the two characters when they display them. A computer, though, does make such a distinction when it processes the character string as a URL.

Inside an email, the spoofed address will look legitimate, but when rubes click the URL, they’re taken to a straw site where their personal information can be filched or their computer infected with malware before being passed to the genuine Web address, often unaware that they’ve just been electronically mugged.

The IDN dodge has been known for quite some time. In 2005, for example, two computer science students, Evgeniy Gabrilovich and Alex Gontmakher, at Technion, the Israel Institute of Technology, illustrated how letters from the Cyrillic alphabet that look exactly like ‘o’ and ‘e’ could be used to register the domain name bloomberg.com. Better yet, they used the same technique to spoof microsoft.com. One can only imagine how many unfortunates might be fleeced of their personal information by spoofing that URL.

A number of foreign alphabets lend themselves to homograph spoofing.

One of the best is Cyrillic. That’s because it contains 11 characters that mimic or closely mimic the letters a, c, h, e, i, j, o, p, s, x and y.

In Greek, only lowercase omicron mirrors a Latin letter, o. But that changes if uppercase letters are used. Then the letters A, B, E, H, I, K, M, N, O, P, T, X, Y AND Z all have Greek twins.

Armenian has six letters that look like g, h, n, o, q and u. Two other letters may slip by as a j or p, depending on the display font. However, while Cyrillic and Greek are supported by most standard fonts, Armenian isn’t. So in Windows, for instance, Armenian is displayed as a special font, Sylfaen, which supports the language. That means any Armenian characters mixed in with Latin ones will be as ostentatious as a Turk at a Viking convention.

Although it’s rare, Hebrew can be used for spoofing, too. Three members of its alphabet look very similar to o, i and n.

When IDNs first began to appear, the popular browsers were practically defenseless against homograph spoofs. Now there are a number of defense strategies that can be used to thwart the practice.

The most extreme is to turn off IDN support. That may block access to IDN sites, but most likely the browser will just display the foreign URL in Punycode. Punycode will convert the non-ASCII characters in an address to an ASCII equivalent. The result looks a little weird. If an URL has www.xn in it, chances are it’s in Punycode.

By default, Firefox and Opera will display Punycode for IDNs, unless the Top Level Domain (TLD) is one that counters homographic attacks by restricting the characters that can be used in a domain name. They also allow TLDs to be manually added to a White List.

Another way to counter homograph spoofing is to turn on the anti-phishing feature found in the major browsers. It alerts users when they’re about to access a dubious Web site.

Comments

Pingback: 5 Security Threats Expected in 2010 @ Tricerion Security Blog

Leon February 6, 2010

I am getting a new type of spam at my hotmail address.

Seems there are a lot of websites being compromised as they are being mentioned in these emails.

The spams all look the same, or similar. and follow the same pattern
Two URL’s with different wording saying “get this product here” and one saying “to unsubscribe click here” – as if to indicate the user had granted permission to receive this email, making it legitimate.

The trick is that the spam contains the URL’s of legitimate websites, and mentions legitimate products, eg “find the best school to attend”, so gets past hotmail’s anti-spam

They started off as offers to “find a maid” and various ways to describe cleaning services, but now they keep changing eg teaching degrees, sell timeshares,
etc

But the thing is the email contains URL’s to completely different websites each time. And the URLS point to websites that are for companies that don’t match the product mentioned by the emails.

It seems that the websites listed in the emails must be compromised and the spammers intention is that the user will click on the URL and the compromised website will either directly serve spam advertisements or malware, or issue redirects to a site that will.

Or perhaps its just part of a “increase view counters” campaign… Websites that pay for increasing view counts may be hoodwinked.

  • (required)
  • (required)