Light Dark
December 26, 2017 By David Strom 2 min read
Fraud Protection

Phishing attacks have gotten more sophisticated, especially those that leverage homographic, or Punycode, characters. These characters look like the ordinary Latin alphabet but substitute other language character sets to fool users into navigating to malicious domains.

In recent months, criminals have moved beyond basic phishing schemes and have begun to launch Punycode attacks as part of larger malware efforts. Security researchers have uncovered new campaigns leveraging Punycode domains in connection with a malvertising scheme and a new email exploit.

Seamless Takes Steps Toward Obfuscation

First is the Seamless malvertising campaign, which uses the RIG exploit construction kit to deliver the Ramnit Trojan. The criminals behind the campaign have started using Punycode to hide their attacks. Earlier versions of Seamless used a static IP address for its destination sites. With Punycode, this address is hidden using Cyrillic characters.

Security researchers first spotted this new variation of Seamless in March 2017. They suggested that, since previous efforts to identify the campaign were relatively straightforward, the malware authors have taken their first steps toward obfuscation.

Mailsploit Mayhem

Another prominent cyberthreat that uses Punycode is a “collection of bugs in email clients that allow effective sender spoofing and code injection attacks” known as Mailsploit. In December 2017, security researcher Sabri Haddouche reported bugs in more than 30 different email clients that supposedly circumvented email encryption protocols. One of the attack vectors he identified involves the use of Punycode characters.

Several email vendors have updated their client software to protect against code injection attacks. Haddouche is maintaining a spreadsheet to keep track of which mail clients have patched their systems and which have not. Most of the major email vendors, including Gmail and Office 365, aren’t affected, and Yahoo has already fixed the vulnerability. Kudos to Haddouche for working with the vendors prior to disclosing the issue.

Nip Punycode Attacks in the Bud

The Punycode attack vector is gaining popularity among cybercriminals and is likely to pop up in more malware campaigns in the near future. Now is a good time to brush up on the standards for non-Latin domain names to help you identify Punycode attacks before they can do any damage to your system.

Read the white paper: Adapt to new phishing threats and assess websites automatically

 |  |  |  |  |  |  |  | 
David Strom
Security Evangelist

More from Fraud Protection
July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

March 13, 2024

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

March 7, 2024

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature