January 11, 2023 By Jonathan Reed 4 min read

Many phishing attacks pose as banks, and their efforts can be quite convincing. Everything in the email might look official, including the logo. But if you carefully examine the sender’s address, you can see it’s from an imposter.

Now threat actors are using even more sophisticated methods to deceive targets. From typosquatting to punycode to starjacking, these new tactics demand even closer attention to spot. It’s more important than ever to read carefully — or pay a steep price for being in a hurry.

How attackers use Punycode

Have you ever seen a speck of dirt on your computer monitor? Well, if the speck moves when scrolling, it’s more than just dust. It could be a booby-trapped domain.

For example, let’s look at how cyber criminals spoof the U.S. financial services firm Ameriprise.

The imposter domain reads like this: ạmeriprisẹ[.]com. See the tiny dots below the “ạ” and “ẹ”? That’s how attackers are using punycode to fool victims into visiting dangerous websites.

Punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. A cyber gang calling itself Disneyland Team uses punycode to commit financial fraud, according to a KrebsOnSecurity report.

Another domain used by Disneyland Team is ushank[.]com, which is designed to fool U.S. Bank customers. If you don’t read carefully, you might think “ushank” is “usbank”. As per Krebs, other imposter domains used in this kind of phishing attack include:

  • Login2.ẹmirạtesnbd[.]com, which mimics Emirates NBD Bank in Dubai
  • Cliẹntșchwab[.]com, which looks like the login page for Charles Schwab clients
  • Singlepoint.ụșbamk[.]com, another phishing domain for U.S. Bank customers.

Not your classic phishing attack

The Disneyland Team punycode intrusions aren’t your typical phishing attacks. Rather, the group uses phony bank domains to leverage malicious software already installed on a victim’s computer. The Windows-based banking malware is called Gozi 2.0/Ursnif.

According to Krebs, Gozi can harvest credentials and facilitate fraudulent bank transfers in client-side online banking. Gozi also allows attackers to connect to a bank’s website using the victim’s computer.

Why don’t criminals simply steal credentials with conventional phishing campaigns? Most banking sites will ask for secondary authentication if intruders attempt to log in from an unknown IP address. That’s why Disneyland Team lures targets to interact with fake bank websites. Meanwhile, the malware relays the victim’s browser activity to the real bank website. This enables attackers to defeat multi-factor authentication challenges, such as secret questions or verification apps.

When victims enter login credentials on the phony bank page, they see a spinning circle followed by a message that says, “Awaiting back office approval for your request. Please don’t close this window.” This gives the criminals time to log in undetected and take control of the victim’s bank account.

Typosquatting leads to WASP sting

Typosquatting is another attack that takes advantage of users who don’t read carefully. This particular scam targets developers on the Python Package Index (PyPi), the official third-party software repository for Python. As of January 2022, over 350,000 Python packages can be accessed through that repository. PyPi enables users to search for packages by keywords or filters.

When browsing for a PyPi package, developers need to pay close attention. For example, let’s say you search for the Colorama PyPi package. If you click too quickly, you might select Colorsama — a malicious package with a toxic import.

Operators of these imposter packages start by copying legitimate package codes. The criminals then embed malicious code within the rogue package using a technique called steganography. This hides code in other files to infect PyPi users through open-source projects on GitHub.

According to Phylum, the malicious import was injected in plain view in early versions of infected packages. As these attempts were taken down, attackers changed tactics. Instead of dumping the import in an obvious spot, they hid the code off-screen.

In the image below, the red arrow marks the toxic import. It can only be seen if you zoom out on your code editor window.

Source: Phylum

Recently, researchers reported seeing malicious packages on PyPi containing WASP info-stealer malware. One report detailed hundreds of successful infections of the WASP info-stealer, which also houses features that enable it to evade cybersecurity tools. For example, researchers discovered the use of polymorphic malware that enables malicious payloads to change with new installs. This means the infection remains persistent even after a system reboot.

The operator markets WASP as being undetectable and sells copies of the malware for $20. Customers can pay in cryptocurrency or gift cards.

Fake packages look good on GitHub

If typosquatting wasn’t bad enough, actors use other methods to lure people into using infected PyPi packages. One such tactic is starjacking.

The choice of which software package to use in your project depends, in part, on its popularity. That’s why criminals try to deceive developers by making a package look popular to give a false sense of legitimacy.

One way to showcase a code’s popularity is GitHub Stars. These star stats do not go through any validation process. Using a technique called starjacking, attackers can rig GitHub Stars to mislead developers. All attackers have to do is choose a legitimate GitHub repo with attractive statistics. Then, they simply copy the legitimate URL to the URL field in the setup of their toxic package profile.

Unsuspecting victims

Many of the victims of these malicious tactics may be newer developers or those whose first language is not English. Although the PyPi website has various languages to pick from, not every package description comes with a translation. This makes it harder for developers to evaluate package legitimacy.

Almost 60% of IT companies outsource some or all of their software development. As more developer work moves offshore, it will become easier for malicious code to find its way onto computers. Through vigilance and careful reading, you might catch a threat before it’s too late.

More from News

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today