Punycode Makes SMiShing Attacks More Deceiving
2.6.18 securityweek Attack
Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.
Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.
Recently, cybercriminals engaged in SMiShing campaigns started using Punycode (a technique also known as homograph attack) to deceive users into believing they are accessing a legitimate link. Specifically, the attackers replace one or more characters in the URL with similar-looking characters that are represented differently in Punycode.
Attacks leveraging Punycode are not new and have been targeting Office 365 business users and Chrome and Firefox users, but only recently they started occurring more frequently in text message attacks.
SMiShing has been on the rise since the beginning of the year, and the adoption of new techniques clearly make it an important threat.
The use of Punycode as part of SMiShing campaigns increases the chances for successful compromise, as mobile phone users are unlikely to notice the modified URL.
In one of the observed incidents, the unsuspecting user received a WhatsApp message pretending to be a link to a Jet Airways offer of free air tickets. Although looking like the actual jetairways.com website, the link was using a homograph attack, thus getting the user to xn-jetarways-ypb.com instead.
If the link is accessed on an iPhone, Safari attempts to load the phishing website without displaying the correct link. Chrome on Android, however, displays the correct link (shows the URL in Punycode format) instead.
“The Web browsers decide whether to display the IDN or Punycode format based on conditions like the presence of certain characters which can spoof the separators like "." or "/", determining whether all characters come from same language, if characters belong to allowable combinations or by checking if the domain belongs to whitelisted TLDs,” Zscaler explains.
The domain used as part of the observed attack was newly registered, within the last two weeks, the researchers say. They also note that, after being served the phishing page, victims are redirected to another domain, newuewfarben[.]com, which can be used to serve malware.
“SMiShing has been on a rise in year 18 and the addition of homograph technique will continue to make it more effective against unsuspecting mobile users. Web browsers have implemented protections against homograph attacks, but because of the legitimate use of Punycode characters, it becomes very difficult for the developers to implement a foolproof fix. Attackers leverage this to work around the rules and create homographs which are displayed as IDNs despite being malicious in nature,” Zscaler concludes.