Researchers from cybersecurity firm Malwarebytes have analyzed a new evasive phishing technique used by attackers in the wild in Magecart attacks. The hackers targeted visitors of several sites using typo-squatted domain names, and modified favicons to inject software skimmers used to steal payment card information.
The technique is known as homoglyph attack, it was involved in phishing scams with IDN homograph attacks.
“The idea is simple and consists of using characters that look the same in order to dupe users,” reads the analysis published by Malwarebytes researchers. “Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”
The visual trick leverages on the similarities of character scripts to and register fraudulent domains that appear similar to legitimate ones, then attackers trick victims into visiting them.
While analyzing homoglyph attacks, experts also found legitimate websites (e.g., “cigarpage.com”) that were compromised and injected with an innocuous loader for an icon file that loaded a copycat version of the favicon from the typo-squatted domain (“cigarpaqe[.]com”).
Experts noticed that one of the fraudulent domains (“zoplm.com”) involved in this type of attack has been previously tied to Magecart Group 8, the crew that was behind the attacks on NutriBullet, and MyPillow.
“A fourth domain stands out from the rest: zoplm.com. This is also an homoglyph for zopim.com, but that domain has a history. It was previously associated with Magecart Group 8 (RiskIQ)/CoffeMokko (Group-IB) and was recently registered again after several months of inactivity.” continues the analysis.
The combination of attack techniques allows threat actors to implement layers of evasion. Code re-use poses a problem for defenders makes the attribution of the attacks harder.
To avoid phishing attacks that are even more sophisticated users have to scrutinize the website URLs that intend to visit, avoid clicking links from emails, chat messages, and other publicly available content, and enable multi-factor authentication for their accounts to secure accounts from being hijacked.
(SecurityAffairs – hacking, Homoglyph attacks)