Hackers who want to separate you from your bitcoin know what a homoglyph looks like. The question remains then, do you?
According to the latest ESET threat report, published today, blockchain.com is amongst the three most impersonated domains when it comes to homoglyph attacks. While apple.com led the homoglyph impersonation pack, most of the ESET telemetry detections came from a single, educational, source and were not malicious. The same cannot be said about the blockchain domain impersonators. So, if blockchain hackers know what a homoglyph looks like, and how to use one to relieve you of your bitcoin wallet, why don’t you?
Domain impersonations are on the up
Another newly published report, the geopolitical and cybersecurity risk weekly brief from threat intelligence specialists Cyjax, has revealed that between February and March there was a “569% growth in malicious registrations and a 788% growth in high-risk registrations linked to scams, unauthorized cryptocurrency mining, and bulletproof hosting sites.” This comes as absolutely no surprise. While exploiting the search for information concerning COVID-19 is the plat du jour for hackers, that doesn’t mean the rest of the criminal dishes are off the menu. Homoglyph attacks are one example of a gourmet cybercrime classic that has been making something of a revival recently.
What is a homoglyph attack and why should you care?
The Wikipedia definition of a homoglyph is a character, grapheme, or glyph that appears identical or at least remarkably similar to another in typography. A homoglyph attack, therefore, is one that exploits these similarities by replacing one with the other when registering a domain. In this way, two entirely distinct domains can appear to be identical in terms of their URLs at first glance and quite often second as well. This can happen as the characters come from different alphabets, even if identical in appearance, and computers see them as being different things, unlike the human eye. “I’ve seen some extremely convincing links in my time, and so to the untrained eye, it’s no wonder they still appear in 2020,” Jake Moore, a cybersecurity specialist at ESET, says.
According to the ESET telemetry from its report, instagram.com and blockchain.com were the most impersonated malicious domains across the first quarter of 2020 in terms of homoglyph deception. Although mostly thought of as an email vector attack, social media has also been something of a playground for the hackers looking to deceive users into sending credentials into their inbox or capturing such data from a cloned website.
You can see how easy this is to achieve, and just how similar domain names can be made to look, using the Homoglyph Attack Generator, a legitimate penetration testing tool.
Attacks against blockchain make perfect sense to Ian Thornton-Trump, CISO at threat intelligence company Cyjax, especially if trying to grab bitcoin wallets at a time of economic uncertainty. It’s not just your average cybercriminal chancer that will be interested in such attack methodologies either, “regimes are looking for currency to prop up their economies,” Thornton-Trump says, adding “it’s important to note that homoglyph attacks work really well when you target audiences with English as a second language.”
Mitigating the homoglyph attack threat
There are, thankfully, several mitigations when it comes to this attack surface. For a start, your web browser client should warn you that all is potentially not well when attempting to visit a site using homoglyphs in the domain. “Trusting links can be a minefield and so users are advised to trust their browser or antivirus should a warning appear,” Moore says, “the problem is if some users override such warnings and believe the initial link to be correct and follow through with entering personal details straight into the criminal’s database.”
This brings us to mitigation number two: operators of the top-level domain registries have taken action to help prevent the registration of such lookalike .com, .edu and .net domains. Following a report by researchers at Soluble in March, it was confirmed that Verisign had changed its protections against this kind of mixed-script domain registration to include Unicode Latin IPA Extension characters that had managed to escape scrutiny before. Until all domain registries follow this lead, however, homoglyph attacks are likely to remain a concern moving forward.
“Good web proxy software and community threat intelligence such as reporting malicious homoglyph-based links to VirusTotal, is key,” says Thornton-Trump, continuing, “many of these homoglyph attacks are only live for a few hours or at most days before they are identified as malicious.”
Meanwhile, Moore concludes with the advice that even if you believe a link in an email or on social media to be genuine, “still route into the website via another path such as searching for it online as trusting links can be a minefield.”