January 11, 2023 By Jonathan Reed 4 min read

Many phishing attacks pose as banks, and their efforts can be quite convincing. Everything in the email might look official, including the logo. But if you carefully examine the sender’s address, you can see it’s from an imposter.

Now threat actors are using even more sophisticated methods to deceive targets. From typosquatting to punycode to starjacking, these new tactics demand even closer attention to spot. It’s more important than ever to read carefully — or pay a steep price for being in a hurry.

How attackers use Punycode

Have you ever seen a speck of dirt on your computer monitor? Well, if the speck moves when scrolling, it’s more than just dust. It could be a booby-trapped domain.

For example, let’s look at how cyber criminals spoof the U.S. financial services firm Ameriprise.

The imposter domain reads like this: ạmeriprisẹ[.]com. See the tiny dots below the “ạ” and “ẹ”? That’s how attackers are using punycode to fool victims into visiting dangerous websites.

Punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. A cyber gang calling itself Disneyland Team uses punycode to commit financial fraud, according to a KrebsOnSecurity report.

Another domain used by Disneyland Team is ushank[.]com, which is designed to fool U.S. Bank customers. If you don’t read carefully, you might think “ushank” is “usbank”. As per Krebs, other imposter domains used in this kind of phishing attack include:

  • Login2.ẹmirạtesnbd[.]com, which mimics Emirates NBD Bank in Dubai
  • Cliẹntșchwab[.]com, which looks like the login page for Charles Schwab clients
  • Singlepoint.ụșbamk[.]com, another phishing domain for U.S. Bank customers.

Not your classic phishing attack

The Disneyland Team punycode intrusions aren’t your typical phishing attacks. Rather, the group uses phony bank domains to leverage malicious software already installed on a victim’s computer. The Windows-based banking malware is called Gozi 2.0/Ursnif.

According to Krebs, Gozi can harvest credentials and facilitate fraudulent bank transfers in client-side online banking. Gozi also allows attackers to connect to a bank’s website using the victim’s computer.

Why don’t criminals simply steal credentials with conventional phishing campaigns? Most banking sites will ask for secondary authentication if intruders attempt to log in from an unknown IP address. That’s why Disneyland Team lures targets to interact with fake bank websites. Meanwhile, the malware relays the victim’s browser activity to the real bank website. This enables attackers to defeat multi-factor authentication challenges, such as secret questions or verification apps.

When victims enter login credentials on the phony bank page, they see a spinning circle followed by a message that says, “Awaiting back office approval for your request. Please don’t close this window.” This gives the criminals time to log in undetected and take control of the victim’s bank account.

Typosquatting leads to WASP sting

Typosquatting is another attack that takes advantage of users who don’t read carefully. This particular scam targets developers on the Python Package Index (PyPi), the official third-party software repository for Python. As of January 2022, over 350,000 Python packages can be accessed through that repository. PyPi enables users to search for packages by keywords or filters.

When browsing for a PyPi package, developers need to pay close attention. For example, let’s say you search for the Colorama PyPi package. If you click too quickly, you might select Colorsama — a malicious package with a toxic import.

Operators of these imposter packages start by copying legitimate package codes. The criminals then embed malicious code within the rogue package using a technique called steganography. This hides code in other files to infect PyPi users through open-source projects on GitHub.

According to Phylum, the malicious import was injected in plain view in early versions of infected packages. As these attempts were taken down, attackers changed tactics. Instead of dumping the import in an obvious spot, they hid the code off-screen.

In the image below, the red arrow marks the toxic import. It can only be seen if you zoom out on your code editor window.

Source: Phylum

Recently, researchers reported seeing malicious packages on PyPi containing WASP info-stealer malware. One report detailed hundreds of successful infections of the WASP info-stealer, which also houses features that enable it to evade cybersecurity tools. For example, researchers discovered the use of polymorphic malware that enables malicious payloads to change with new installs. This means the infection remains persistent even after a system reboot.

The operator markets WASP as being undetectable and sells copies of the malware for $20. Customers can pay in cryptocurrency or gift cards.

Fake packages look good on GitHub

If typosquatting wasn’t bad enough, actors use other methods to lure people into using infected PyPi packages. One such tactic is starjacking.

The choice of which software package to use in your project depends, in part, on its popularity. That’s why criminals try to deceive developers by making a package look popular to give a false sense of legitimacy.

One way to showcase a code’s popularity is GitHub Stars. These star stats do not go through any validation process. Using a technique called starjacking, attackers can rig GitHub Stars to mislead developers. All attackers have to do is choose a legitimate GitHub repo with attractive statistics. Then, they simply copy the legitimate URL to the URL field in the setup of their toxic package profile.

Unsuspecting victims

Many of the victims of these malicious tactics may be newer developers or those whose first language is not English. Although the PyPi website has various languages to pick from, not every package description comes with a translation. This makes it harder for developers to evaluate package legitimacy.

Almost 60% of IT companies outsource some or all of their software development. As more developer work moves offshore, it will become easier for malicious code to find its way onto computers. Through vigilance and careful reading, you might catch a threat before it’s too late.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today