Read Carefully: The Dangers of Punycode and Typosquatting

Many phishing attacks pose as banks, and their efforts can be quite convincing. Everything in the email might look official, including the logo. But if you carefully examine the sender’s address, you can see it’s from an imposter.

Now threat actors are using even more sophisticated methods to deceive targets. From typosquatting to punycode to starjacking, these new tactics demand even closer attention to spot. It’s more important than ever to read carefully — or pay a steep price for being in a hurry. 

How Attackers Use Punycode

Have you ever seen a speck of dirt on your computer monitor? Well, if the speck moves when scrolling, it’s more than just dust. It could be a booby-trapped domain.

For example, let’s look at how cyber criminals spoof the U.S. financial services firm Ameriprise. 

The imposter domain reads like this: ạmeriprisẹ[.]com. See the tiny dots below the “ạ” and “ẹ”? That’s how attackers are using punycode to fool victims into visiting dangerous websites.

Punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic. A cyber gang calling itself Disneyland Team uses punycode to commit financial fraud, according to a KrebsOnSecurity report. 

Another domain used by Disneyland Team is ushank[.]com, which is designed to fool U.S. Bank customers. If you don’t read carefully, you might think “ushank” is “usbank”. As per Krebs, other imposter domains used in this kind of phishing attack include:

  • Login2.ẹmirạtesnbd[.]com, which mimics Emirates NBD Bank in Dubai
  • Cliẹntșchwab[.]com, which looks like the login page for Charles Schwab clients
  • Singlepoint.ụșbamk[.]com, another phishing domain for U.S. Bank customers.

Not Your Classic Phishing Attack

The Disneyland Team punycode intrusions aren’t your typical phishing attacks. Rather, the group uses phony bank domains to leverage malicious software already installed on a victim’s computer. The Windows-based banking malware is called Gozi 2.0/Ursnif

According to Krebs, Gozi can harvest credentials and facilitate fraudulent bank transfers in client-side online banking. Gozi also allows attackers to connect to a bank’s website using the victim’s computer.

Why don’t criminals simply steal credentials with conventional phishing campaigns? Most banking sites will ask for secondary authentication if intruders attempt to log in from an unknown IP address. That’s why Disneyland Team lures targets to interact with fake bank websites. Meanwhile, the malware relays the victim’s browser activity to the real bank website. This enables attackers to defeat multi-factor authentication challenges, such as secret questions or verification apps.

When victims enter login credentials on the phony bank page, they see a spinning circle followed by a message that says, “Awaiting back office approval for your request. Please don’t close this window.” This gives the criminals time to log in undetected and take control of the victim’s bank account.

Typosquatting Leads to WASP Sting

Typosquatting is another attack that takes advantage of users who don’t read carefully. This particular scam targets developers on the Python Package Index (PyPi), the official third-party software repository for Python. As of January 2022, over 350,000 Python packages can be accessed through that repository. PyPi enables users to search for packages by keywords or filters.

When browsing for a PyPi package, developers need to pay close attention. For example, let’s say you search for the Colorama PyPi package. If you click too quickly, you might select Colorsama — a malicious package with a toxic import.

Operators of these imposter packages start by copying legitimate package codes. The criminals then embed malicious code within the rogue package using a technique called steganography. This hides code in other files to infect PyPi users through open-source projects on GitHub.

According to Phylum, the malicious import was injected in plain view in early versions of infected packages. As these attempts were taken down, attackers changed tactics. Instead of dumping the import in an obvious spot, they hid the code off-screen.

In the image below, the red arrow marks the toxic import. It can only be seen if you zoom out on your code editor window.

Source: Phylum

Recently, researchers reported seeing malicious packages on PyPi containing WASP info-stealer malware. One report detailed hundreds of successful infections of the WASP info-stealer, which also houses features that enable it to evade cybersecurity tools. For example, researchers discovered the use of polymorphic malware that enables malicious payloads to change with new installs. This means the infection remains persistent even after a system reboot.

The operator markets WASP as being undetectable and sells copies of the malware for $20. Customers can pay in cryptocurrency or gift cards. 

Fake Packages Look Good on GitHub

If typosquatting wasn’t bad enough, actors use other methods to lure people into using infected PyPi packages. One such tactic is starjacking. 

The choice of which software package to use in your project depends, in part, on its popularity. That’s why criminals try to deceive developers by making a package look popular to give a false sense of legitimacy.

One way to showcase a code’s popularity is GitHub Stars. These star stats do not go through any validation process. Using a technique called starjacking, attackers can rig GitHub Stars to mislead developers. All attackers have to do is choose a legitimate GitHub repo with attractive statistics. Then, they simply copy the legitimate URL to the URL field in the setup of their toxic package profile.

Unsuspecting Victims

Many of the victims of these malicious tactics may be newer developers or those whose first language is not English. Although the PyPi website has various languages to pick from, not every package description comes with a translation. This makes it harder for developers to evaluate package legitimacy.

Almost 60% of IT companies outsource some or all of their software development. As more developer work moves offshore, it will become easier for malicious code to find its way onto computers. Through vigilance and careful reading, you might catch a threat before it’s too late. 

The post Read Carefully: The Dangers of Punycode and Typosquatting appeared first on Security Intelligence.

Article Link: Read Carefully: Punycode and Typosquatting Spoof Banks and GitHub