December 26, 2017 By David Strom 2 min read

Phishing attacks have gotten more sophisticated, especially those that leverage homographic, or Punycode, characters. These characters look like the ordinary Latin alphabet but substitute other language character sets to fool users into navigating to malicious domains.

In recent months, criminals have moved beyond basic phishing schemes and have begun to launch Punycode attacks as part of larger malware efforts. Security researchers have uncovered new campaigns leveraging Punycode domains in connection with a malvertising scheme and a new email exploit.

Seamless Takes Steps Toward Obfuscation

First is the Seamless malvertising campaign, which uses the RIG exploit construction kit to deliver the Ramnit Trojan. The criminals behind the campaign have started using Punycode to hide their attacks. Earlier versions of Seamless used a static IP address for its destination sites. With Punycode, this address is hidden using Cyrillic characters.

Security researchers first spotted this new variation of Seamless in March 2017. They suggested that, since previous efforts to identify the campaign were relatively straightforward, the malware authors have taken their first steps toward obfuscation.

Mailsploit Mayhem

Another prominent cyberthreat that uses Punycode is a “collection of bugs in email clients that allow effective sender spoofing and code injection attacks” known as Mailsploit. In December 2017, security researcher Sabri Haddouche reported bugs in more than 30 different email clients that supposedly circumvented email encryption protocols. One of the attack vectors he identified involves the use of Punycode characters.

Several email vendors have updated their client software to protect against code injection attacks. Haddouche is maintaining a spreadsheet to keep track of which mail clients have patched their systems and which have not. Most of the major email vendors, including Gmail and Office 365, aren’t affected, and Yahoo has already fixed the vulnerability. Kudos to Haddouche for working with the vendors prior to disclosing the issue.

Nip Punycode Attacks in the Bud

The Punycode attack vector is gaining popularity among cybercriminals and is likely to pop up in more malware campaigns in the near future. Now is a good time to brush up on the standards for non-Latin domain names to help you identify Punycode attacks before they can do any damage to your system.

Read the white paper: Adapt to new phishing threats and assess websites automatically

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today