Security experts from Malwarebytes discovered cybercriminals using a combination fake domains with favicons to launch “Homoglyph Attacks.” The attackers used Homoglyph attack — also known as homograph attack, script spoofing, or homograph domain name spoofing — in phishing scams, credit card skimming attacks, and on several domain names to load the Inter skimming kit inside of a favicon, a file containing one or more small icons associated with a particular website.
What is a Homoglyph Attack?
A Homoglyph attack is a deception technique that uses homoglyphs or homographs, in which an attacker abuses the similarities of character scripts to create phony domains of existing brands to trick users into clicking. A homoglyph is one of two or more characters or glyphs with shapes that appear identical or very similar. Hence, the name of the attack.
The idea is simple and consists of using characters that look the same in order to dupe users. Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lower case ‘l’. Examples of such are the Latin small letter O (U+006F) and the Digit zero (U+0030). Hypothetically, one might register bl00mberg.com or g00gle.com and get away with it.
– Malwarebytes said in a report.
Most of the users read the above domain as “cigarpage” when in fact it is “cigarpaqe”. Malwarebytes confirmed that the correct website is indeed cigarpage.com and cigarpaqe.com is the imposter.
Connection with Magecart Group
The researchers stated that they found several domains, including the malicious infrastructure (18.104.22.168), which are registered using the same homoglyph technique. Here are the original domain names on the left, and their homoglyph version on the right:
cigarpage.com – cigarpaqe.com
fieldsupply.com – fleldsupply.com
wingsupply.com – winqsupply.com
“A fourth domain stands out from the rest: zoplm.com. This is also an homoglyph for zopim.com, but that domain has a history. It was previously associated with Magecart Group 8 (RiskIQ)/CoffeMokko (Group-IB) and was recently registered again after several months of inactivity,” the report added.
Malwarebytes reported the issue to the victim site and clarified that the malicious code had been removed.
Protection Against Homograph Attacks
Malwarebytes suggested users to be vigilant when browsing online and maintain cybersecurity hygiene, including:
- Regularly updating your browser (They may be your first line of defense against homograph attacks).
- Confirming that the legitimate site you are on has an EVC (Extended Validation Certificate).
- Avoid clicking links from emails, chat messages, and other publicly available content, most especially social media sites, without ensuring that the visible link is indeed the true destination.