Hot Topics
Security Bloggers Network 
SBN

Phish Philtering

by David Harley on January 18, 2023
[This is an article – slightly edited – that was originally posted on the now defunct itsecurity.co.uk. I was reminded, a blog page to which a number of security researchers contributed articles independently of any commercial organizations for whom they might work. I was reminded of it by a repost by Mich Kabay giving a specific example of a homoglyph attack – that is, one where a scammer spoofs a legitimate web site by substituting characters from a different character set, as described below. I haven’t checked this exhaustively, but it still stands in principle.]

I recently posted an article on the ESET blog about recognizing phishing messages. It covers quite a lot of ground that I don’t intend to go over again here, though I’ll include a quick summary at the end of this article, to give you an idea as to whether it’s worth reading – or recommending to others. Well, you never know. However, for some people the ways that a URL might be camouflaged as something resembling a legitimate site name so as to trick a victim into clicking on a malicious site has proved to be even more of a draw than the horrible visual (and non-visual) puns I included.

Happily, many of the tricks for obscuring URLs that were commonly used when I first starting researching phishing techniques have been addressed in common browsers, so that some techniques as described here will no longer work as expected. Don’t take that for granted, though: one of those tricks is to put a legitimate looking site-name at the beginning of the URL, on the assumption that the browser will ignore anything between the initial ‘http://’ and an ‘@’ character. Here’s an example: https://[email protected]/2013/05/29/phishing-the-click-of-death/. In a quick and quite unscientific test, I was surprised to find that this URL took me quite happily to www.welivesecurity.com/2013/05/29/phishing-the-click-of-death/ in Chrome, though Internet Explorer told me that it couldn’t find the site. [When I tried this much more recently (2023) in Chrome I was still taken to the WeLiveSecurity page, but the real target URL was highlighted – your browser’s mileage may vary.]

All the more reason for passing the cursor over the URL to see if the apparent URL and the one the browser actually sees are a match. Sadly (if you’ll allow me to quote myself…):

…many large organizations, including the big banks, use multiple domains for various purposes, and some outsource mail and other services to external companies whose domains don’t appear to have anything to do with the provider. Unfortunately, this is one of the practices that make the scammer’s life easier, but it’s a practice too firmly ingrained in modern business to expect it to be discontinued any time soon.

Here’s a very simple example of a link that looks quite different to the site it really links to: nice-site.co.uk. Other tricks include using one or more redirects (very commonly used in malware dissemination) and the use of shortened URLs.

Using a domain that looks like a known real address but is slightly and inconspicuously different is standard practice for phishers, and not always easy to detect. A simplistic example might be something like IIoydsbank.com or barcIays.com, where I’ve substituted a capital ‘I’ for each lowercase ‘L’.

We see a common variation of this approach known as a homoglyph attack: in the Unicode character set there are many exotic characters that look to the casual eye (at least in some fonts) very much like ASCII characters, but are for purposes of identifying a web address completely different.

In the original blog, I just cited some examples:

In the following representation of the ESET domain ‘welivesecurity.com’, ωϵІіѵєѕєсᴜᴦіțу.ϲοᶆ not one character is actually the US-ASCII character it resembles. Sitting there surrounded by standard Latin characters, the word looks quite odd (especially as the CMS doesn’t allow me much flexibility with the font size or character set), but what if it was just one character different with a carefully chosen font and font size? For example, welivesecurity.cοm. (In this case, that ‘o’ is actually an omicron.)

Subsequently, my colleague Bruce Burrell suggested that if readers were to paste those two bogus welivesecurity.com URLs into Notepad (Other Text Editors Are Available), then search for the letter ‘o’ it would be a good ‘live’ demonstration of the principle of this kind of attack, and I modified the article accordingly.

Here, though, I’ve used a screenshot to illustrate the principle.

In the first pair (barclays.com), the ‘L’ in one is actually an uppercase ‘I’. There is a visible difference between the two because I used a proportional font (Microsoft Sans Serif). The absence of serif (the twiddly bits at the top and the bottom of the ‘I’ accentuates the similarity between the two characters (just a straight vertical line in each case), the kerning is slightly different in each case, so one of the pair is slightly wider than the other. But can you tell which one is bogus? If you can, you’re probably a typographer…

The version of welivesecurity.com that consists entirely of homoglyphs is pretty easy to spot, though it might be more convincing in a different typographical context.

However, one of the second pair of addresses really does say welivesecurity.com, while the other includes an omicron instead of an ‘o’. And I can’t tell which is which by eye: maybe you can do better. (Give up? The fake is the first one…)

Here’s a summary of indicators of possible malice in a potential phishing message. Of course there’s more detail in the original article.

1) Does the message really show that the sender knows anything about you, let alone that you already do business with him?

 2) Expect the worst from attached files and embedded links.

 3) Take elementary precautions (like passing the mouse cursor over the link)

4) Don’t let threats get to you and be panicked into clicking incautiously

5) Don’t be click-happy and rely on security software to detect everything

6) Don’t fall for slick presentation: phishers are much more sophisticated nowadays.

7) Unless you’re a security expert, consider checking out some of the resources listed in the article for more information.

Of course, there’s plenty of information published by other companies and researchers, but I didn’t try to list those resources in an already-lengthy article.

And if you got this far, you might be irritated if I didn’t tell you which were the bogus URLs in the screenshot.

  • The second barclays.com is actually barcIays.com.
  • ωϵІіѵєѕєсᴜᴦіțу.ϲοᶆis completely wrong, of course
  • And in the last pair, it’s the first welivesecurity.com that uses an omicron instead of an ‘o’

Here are a couple of my old blogs for ESET that include the use of similar techniques.

And a good summary by Graham Cluley.

David Harley

*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2023/01/18/phish-philtering/

David Harley ,