Phishing attacks have gotten more sophisticated, especially those that leverage homographic, or Punycode, characters. These characters look like the ordinary Latin alphabet but substitute other language character sets to fool users into navigating to malicious domains.
In recent months, criminals have moved beyond basic phishing schemes and have begun to launch Punycode attacks as part of larger malware efforts. Security researchers have uncovered new campaigns leveraging Punycode domains in connection with a malvertising scheme and a new email exploit.
Seamless Takes Steps Toward Obfuscation
First is the Seamless malvertising campaign, which uses the RIG exploit construction kit to deliver the Ramnit Trojan. The criminals behind the campaign have started using Punycode to hide their attacks. Earlier versions of Seamless used a static IP address for its destination sites. With Punycode, this address is hidden using Cyrillic characters.
Security researchers first spotted this new variation of Seamless in March 2017. They suggested that, since previous efforts to identify the campaign were relatively straightforward, the malware authors have taken their first steps toward obfuscation.
Another prominent cyberthreat that uses Punycode is a “collection of bugs in email clients that allow effective sender spoofing and code injection attacks” known as Mailsploit. In December 2017, security researcher Sabri Haddouche reported bugs in more than 30 different email clients that supposedly circumvented email encryption protocols. One of the attack vectors he identified involves the use of Punycode characters.
Several email vendors have updated their client software to protect against code injection attacks. Haddouche is maintaining a spreadsheet to keep track of which mail clients have patched their systems and which have not. Most of the major email vendors, including Gmail and Office 365, aren’t affected, and Yahoo has already fixed the vulnerability. Kudos to Haddouche for working with the vendors prior to disclosing the issue.
Nip Punycode Attacks in the Bud
The Punycode attack vector is gaining popularity among cybercriminals and is likely to pop up in more malware campaigns in the near future. Now is a good time to brush up on the standards for non-Latin domain names to help you identify Punycode attacks before they can do any damage to your system.