Homoglyph Advanced Phishing Attacks

Introduction

This document describes the use of homoglyph characters in advanced phishing attacks and how to be aware of these when using message and content filters on the Cisco Email Security Appliance (ESA).

Homoglyph Advanced Phishing Attacks

In advanced phishing attacks today, phishing emails may contain homogyph characters.  A homoglyph is a text character with shapes that are near identical or similar to each other.  There may be URLs embedded in phising emails that will not be blocked by message or content filters configured on the ESA.

An example scenario may be as follows: Customer wants to block an email that had contains the URL of www.pɑypal.com.  In order to do so, an inbound content filter is written that will looking for the URL containing www.paypal.com.  The action of this content filter would be configured to drop and notify.

Customer received example of an email containing:  www.pɑypal.com   

Content filter as configured contains: www.paypal.com

If you take a look at the actual URL via DNS you will notice they resolve differently:

$ dig www.pɑypal.com

; <<>> DiG 9.8.3-P1 <<>> www.pɑypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37851
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.p\201\145ypal.com. IN A

;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1440725118 1800 900 604800 86400

;; Query time: 35 msec
;; SERVER: 64.102.6.247#53(64.102.6.247)
;; WHEN: Thu Aug 27 21:26:00 2015
;; MSG SIZE rcvd: 106

$ dig www.paypal.com

; <<>> DiG 9.8.3-P1 <<>> www.paypal.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51860
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 8, ADDITIONAL: 8

;; QUESTION SECTION:
;www.paypal.com. IN A

;; ANSWER SECTION:
www.paypal.com. 279 IN CNAME www.paypal.com.akadns.net.
www.paypal.com.akadns.net. 9 IN CNAME ppdirect.paypal.com.akadns.net.
ppdirect.paypal.com.akadns.net. 279 IN CNAME wlb.paypal.com.akadns.net.
wlb.paypal.com.akadns.net. 9 IN CNAME www.paypal.com.edgekey.net.
www.paypal.com.edgekey.net. 330 IN CNAME e6166.a.akamaiedge.net.
e6166.a.akamaiedge.net. 20 IN A 184.50.215.128

;; AUTHORITY SECTION:
a.akamaiedge.net. 878 IN NS n5a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n7a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n2a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n0a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n1a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n4a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n6a.akamaiedge.net.
a.akamaiedge.net. 878 IN NS n3a.akamaiedge.net.

;; ADDITIONAL SECTION:
n0a.akamaiedge.net. 383 IN A 184.27.45.145
n1a.akamaiedge.net. 3142 IN A 184.51.101.8
n2a.akamaiedge.net. 6697 IN A 88.221.81.194
n3a.akamaiedge.net. 31 IN A 88.221.81.193
n4a.akamaiedge.net. 168 IN A 72.37.164.223
n5a.akamaiedge.net. 968 IN A 184.51.101.70
n6a.akamaiedge.net. 1851 IN A 23.220.148.171
n7a.akamaiedge.net. 3323 IN A 184.51.101.73

;; Query time: 124 msec
;; SERVER: 64.102.6.247#53(64.102.6.247)
;; WHEN: Thu Aug 27 21:33:50 2015
;; MSG SIZE rcvd: 470

The first URL uses a homoglyph of the letter “a” of the unicode format.

If you look closely, you can see that the first “a” in paypal is actually different than the second “a”.

Please be aware when working with message and content filters to block URLs.  The ESA cannot tell the difference between homoglyphs and standard alphabet characters.  One way to properly detect and prevent the use of homoglyphic phishing attacks is to configure and enable OF and URL Filtering. 

Irongeek provides a method for testing homoglyphs and creating test malicious URL(s): Homoglyph Attack Generator

Detailed introduction into homoglyph phishing attacks, also from Irongeek: Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing