Homograph phishing (noun)

Transcript

Rick Howard: The word is: Homograph phishing.

Rick Howard: Spelled: Homograph, as in words that are spelled the same, but have different meanings. Phishing, as in a social engineering technique that tricks the user into thinking that they're interacting with a trusted entity.

Rick Howard: Definition: The use of similar-looking characters in a phishing URL to spoof a legitimate site.

Rick Howard: Example sentence: The attacker used a homograph phishing attack to fool the victim into visiting a spoofed version of a banking site.

Rick Howard: Origin and context: Unicode is an encoding standard used to display text on a computer. Unlike ASCII, which uses eight bits per character and only can represent 128 or 256 symbols, Unicode can display more than 144,000 characters. This allows Unicode to display text in many different languages. Homograph or homoglyph phishing attacks use similar-looking Unicode characters to craft deceptive phishing URLs.

Rick Howard: In most instances, these discrepancies can be spotted. If the user looks closely, such as when the attacker replaces the letter "O" with the number zero. These simple attacks are usually referred to as "typosquatting." In some cases, however, the characters can appear identical. Martin Zugec of Bitdefender explains that these homograph attacks use international domain names, IDNs, to insert characters from different languages into the URL.

Rick Howard: For example, the Latin letter "O" and the Cyrillic letter "O" appear the same to the human eye, but have different underlying Unicode. Therefore, our URL that uses the Latin "O" can look exactly the same as the one that uses the Cyrillic "O," but each URL will lead to a different site. Zugec notes that homographic attacks based on international domain names require much more effort than typosquatting, but they're still achievable by sophisticated attackers. Zugec says, " IDN homograph attacks are not common - they require custom domain registration, and most browsers don't use the display name anymore like Unicode. Instead they will use the real name ASCII code. While this makes it impractical for most attackers, it is a viable option for the highly motivated threat actor."

Rick Howard: Nerd reference: The Mission Impossible Franchise, a TV show that ran from 1966 to 1973 and the Tom Cruise movie collection with six movies under his belt from 1996 to 2018 and as of this writing, Cruise is filming the next two, is famous for creating rubber face mask for its Impossible Mission Force or I.M.F. team members. These masks are the spy's homographs they make the IMF members look similar in an uncanny valley kind of way to colleagues and conspirators of their intelligence targets. Which then allows them to fish information from the targets because they are unguarded around these seemingly well known friends.

Rick Howard: Word Notes: is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

HOST(S):

Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.

Schedule: Tuesdays

Creator: CyberWire, Inc.