Light Dark
December 26, 2017 By David Strom 2 min read
Fraud Protection

Phishing attacks have gotten more sophisticated, especially those that leverage homographic, or Punycode, characters. These characters look like the ordinary Latin alphabet but substitute other language character sets to fool users into navigating to malicious domains.

In recent months, criminals have moved beyond basic phishing schemes and have begun to launch Punycode attacks as part of larger malware efforts. Security researchers have uncovered new campaigns leveraging Punycode domains in connection with a malvertising scheme and a new email exploit.

Seamless Takes Steps Toward Obfuscation

First is the Seamless malvertising campaign, which uses the RIG exploit construction kit to deliver the Ramnit Trojan. The criminals behind the campaign have started using Punycode to hide their attacks. Earlier versions of Seamless used a static IP address for its destination sites. With Punycode, this address is hidden using Cyrillic characters.

Security researchers first spotted this new variation of Seamless in March 2017. They suggested that, since previous efforts to identify the campaign were relatively straightforward, the malware authors have taken their first steps toward obfuscation.

Mailsploit Mayhem

Another prominent cyberthreat that uses Punycode is a “collection of bugs in email clients that allow effective sender spoofing and code injection attacks” known as Mailsploit. In December 2017, security researcher Sabri Haddouche reported bugs in more than 30 different email clients that supposedly circumvented email encryption protocols. One of the attack vectors he identified involves the use of Punycode characters.

Several email vendors have updated their client software to protect against code injection attacks. Haddouche is maintaining a spreadsheet to keep track of which mail clients have patched their systems and which have not. Most of the major email vendors, including Gmail and Office 365, aren’t affected, and Yahoo has already fixed the vulnerability. Kudos to Haddouche for working with the vendors prior to disclosing the issue.

Nip Punycode Attacks in the Bud

The Punycode attack vector is gaining popularity among cybercriminals and is likely to pop up in more malware campaigns in the near future. Now is a good time to brush up on the standards for non-Latin domain names to help you identify Punycode attacks before they can do any damage to your system.

Read the white paper: Adapt to new phishing threats and assess websites automatically

 |  |  |  |  |  |  |  | 
David Strom
Security Evangelist

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature