My Brand! The Rise of the Elevated Spoof.

At Credio, we’ve written before about how COVID-19 is having an outsized impact on everything in daily life, including cybersecurity and privacy threats.

As users have been forced to leave the confines of hardened on-prem networks and turn to cloud and other hosted services, organizations have faced greater challenges, often with fewer resources at hand.

The Rise of the Elevated Spoof

For this week’s issue, we wanted to delve into one growing area of concern for organizations -the rise of domain spoofing and improved phishing techniques.

According to a recent report by F5 Labs, “55% of phishing sites made use of target brand names and identities in their URLs.”

Gone are the days of the poorly-written, dodgy sites that boasted exaggerated urgency and laughable spelling mistakes. Now criminals are going for sites that genuinely look and act like their targets — right down to the domain names.

More TLDs = More Opportunities to Wreak Havoc

So how are fraudsters doing it? It turns out, there are a number of techniques available.

Domain Name Spoofing: Fraudsters are learning that, thanks to the wonders of hundreds of top level domain names, it’s still easy to register a deceptively-similar looking domain name, clone a target’s login page, and blast out a link to the user.

For example, let’s say you’re interested in mimicking the domain name for apple.com. Obviously, Apple has already registered all the apple.* domains that most of us can think of. But as more top-level domains and ccTLDs (country-code TLDs) come online, it becomes a game of whack-a-mole to keep up.

Compounding this is the rise of free and low-cost domain registrars such as Freenom and DotTK, which provide inexpensive (and sometimes free) domain registrations, even of popular domains.

Unicode and IDNs: Add to that, the problems that come from our multilingual world — and the Unicode standard. While Unicode is a great equalizing force by opening up opportunities for non-Western speakers to be heard — providing text for most of the world’s writing systems has a cost — it gives criminals a bigger sandbox to play in.

IDNs, or Internationalized Domain Names — use the power of the Unicode standard to allow organizations to connect online in local languages. IDN registrars are still few and far between, but some will allow fairly convincing-looking registrations — for example applе (the Cyrillic capital letter Ie, in lowercase).

Punycode: But say you’re a scammer, and committed to keeping the domain in the .com TLD. Now, GoDaddy won’t accept non-ASCII unicode character sets, so your plans for applе.com likely won’t fly. Enter punycode.

Punycode is a way of converting letters that cannot be written in ASCII into Unicode ASCII encoding. Using punycode, you can include non-ASCII characters within a domain name by generating a “bootstring” encoding of unicode. Here’s the punycode for applе.com – xn--appl-y4d.com (which can be registered for around $11).

On certain vulnerable browsers (and especially mobile devices, where eyeballs are contending with smaller screens, shrunken urls, and the inability to hover a mouse), it renders the page as applе.com, which looks surprisingly legitimate, especially if you’re clicking on a link and might be distracted, or haven’t had your first cup of coffee. Throw in a free Letsencrypt TLS certificate, and it’s a very convincing-looking fraud opportunity.

Site Cloning: Even the practice of cloning a website can often be trivially easy. One need only visit the target’s website, save the page, and extract the HTML, CSS, images and other elements, and upload that content to a hosting site. With a few alterations, a fraudster can make a rather convincing-looking site at https://applе.comthat might confuse even the most skeptical among us.

While phishing attacks will only continue to improve so long as there are victims to be had, it’s important that awareness, security controls, and the tools we use, also continue to evolve with the threat. Our eyes can’t do it alone.