Many phishing attacks pose as banks, and their efforts can be quite convincing. Everything in the email might look official, including the logo. But if you carefully examine the sender’s address, you can see it’s from an imposter.

Now threat actors are using even more sophisticated methods to deceive targets. From typosquatting to punycode to starjacking, these new tactics demand even closer attention to spot. It’s more important than ever to read carefully — or pay a steep price for being in a hurry.

How Attackers Use Punycode

Have you ever seen a speck of dirt on your computer monitor? Well, if the speck moves when scrolling, it’s more than just dust. It could be a booby-trapped domain.

For example, let’s look at how cyber criminals spoof the U.S. financial services firm Ameriprise.

The imposter domain reads like this: ạmeriprisẹ[.]com. See the tiny dots below the “ạ” and “ẹ”? That’s how attackers are using punycode to fool victims into visiting dangerous websites.

Punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. A cyber gang calling itself Disneyland Team uses punycode to commit financial fraud, according to a KrebsOnSecurity report.

Another domain used by Disneyland Team is ushank[.]com, which is designed to fool U.S. Bank customers. If you don’t read carefully, you might think “ushank” is “usbank”. As per Krebs, other imposter domains used in this kind of phishing attack include:

  • Login2.ẹmirạtesnbd[.]com, which mimics Emirates NBD Bank in Dubai
  • Cliẹntșchwab[.]com, which looks like the login page for Charles Schwab clients
  • Singlepoint.ụșbamk[.]com, another phishing domain for U.S. Bank customers.

Not Your Classic Phishing Attack

The Disneyland Team punycode intrusions aren’t your typical phishing attacks. Rather, the group uses phony bank domains to leverage malicious software already installed on a victim’s computer. The Windows-based banking malware is called Gozi 2.0/Ursnif.

According to Krebs, Gozi can harvest credentials and facilitate fraudulent bank transfers in client-side online banking. Gozi also allows attackers to connect to a bank’s website using the victim’s computer.

Why don’t criminals simply steal credentials with conventional phishing campaigns? Most banking sites will ask for secondary authentication if intruders attempt to log in from an unknown IP address. That’s why Disneyland Team lures targets to interact with fake bank websites. Meanwhile, the malware relays the victim’s browser activity to the real bank website. This enables attackers to defeat multi-factor authentication challenges, such as secret questions or verification apps.

When victims enter login credentials on the phony bank page, they see a spinning circle followed by a message that says, “Awaiting back office approval for your request. Please don’t close this window.” This gives the criminals time to log in undetected and take control of the victim’s bank account.

Typosquatting Leads to WASP Sting

Typosquatting is another attack that takes advantage of users who don’t read carefully. This particular scam targets developers on the Python Package Index (PyPi), the official third-party software repository for Python. As of January 2022, over 350,000 Python packages can be accessed through that repository. PyPi enables users to search for packages by keywords or filters.

When browsing for a PyPi package, developers need to pay close attention. For example, let’s say you search for the Colorama PyPi package. If you click too quickly, you might select Colorsama — a malicious package with a toxic import.

Operators of these imposter packages start by copying legitimate package codes. The criminals then embed malicious code within the rogue package using a technique called steganography. This hides code in other files to infect PyPi users through open-source projects on GitHub.

According to Phylum, the malicious import was injected in plain view in early versions of infected packages. As these attempts were taken down, attackers changed tactics. Instead of dumping the import in an obvious spot, they hid the code off-screen.

In the image below, the red arrow marks the toxic import. It can only be seen if you zoom out on your code editor window.

Source: Phylum

Recently, researchers reported seeing malicious packages on PyPi containing WASP info-stealer malware. One report detailed hundreds of successful infections of the WASP info-stealer, which also houses features that enable it to evade cybersecurity tools. For example, researchers discovered the use of polymorphic malware that enables malicious payloads to change with new installs. This means the infection remains persistent even after a system reboot.

The operator markets WASP as being undetectable and sells copies of the malware for $20. Customers can pay in cryptocurrency or gift cards.

Fake Packages Look Good on GitHub

If typosquatting wasn’t bad enough, actors use other methods to lure people into using infected PyPi packages. One such tactic is starjacking.

The choice of which software package to use in your project depends, in part, on its popularity. That’s why criminals try to deceive developers by making a package look popular to give a false sense of legitimacy.

One way to showcase a code’s popularity is GitHub Stars. These star stats do not go through any validation process. Using a technique called starjacking, attackers can rig GitHub Stars to mislead developers. All attackers have to do is choose a legitimate GitHub repo with attractive statistics. Then, they simply copy the legitimate URL to the URL field in the setup of their toxic package profile.

Unsuspecting Victims

Many of the victims of these malicious tactics may be newer developers or those whose first language is not English. Although the PyPi website has various languages to pick from, not every package description comes with a translation. This makes it harder for developers to evaluate package legitimacy.

Almost 60% of IT companies outsource some or all of their software development. As more developer work moves offshore, it will become easier for malicious code to find its way onto computers. Through vigilance and careful reading, you might catch a threat before it’s too late.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…