Threat Announcement: Phishing Sites Detected on Emoji Domains

Since September 21, PhishLabs analysts have detected a number of phishing sites hosted on emoji domains. So far, all detected sites have a few things in common:

  • They are hosted on the .WS Top Level Domain (TLD)
  • They utilize domains with numerous subdomains (also emojis)
  • They make use of redirects to avoid detection

At the time of writing, PhishLabs analysts are investigating active phishing campaigns making use of emoji domains.

Wait… Did you Just Say Emojis?

Yes, we did.

Over the past few years, a small number of TLDs such as .WS, .FM, and .TO have started supporting the use of emoji domains. Aside from a tiny number of outliers, registered prior to IDNA2008, gTLDs such as .COM and .NET do not allow for the registration of emoji domains.

These domains are created using punycode, which is then translated by browsers (at least some of them) to display emoji domains.

When translated correctly, they look like this:

Punycode translation:

If you visit that domain, you’ll be redirected to Neat, huh?

Unfortunately, phishers have found an alternative and less innocent use for emoji domains: to pique the interest of would-be victims, and induce them to visit malicious phishing sites. As we’ve already noted, the phishing sites observed so far have all made use of multiple emoji subdomains. For example:

Punycode translation: (Note, this is a simulated example, not a real phishing site)

What Does This Mean?

Right now, this tactic is just that — A new technique being tested by phishers to see whether it will increase the efficacy of their campaigns. Just like emoji domains themselves, it’s difficult to know whether emoji phish will become an established trend, or die out altogether.

Although we can’t be sure as to the purpose of the emoji phishing sites we’ve observed — we haven’t yet tracked down any associated lures — our analysts suspect they are intended to be accompanied by SMS lures. Again, while it’s only conjecture at this point, it seems likely that an SMS-based emoji phishing campaign could see some success, particularly with younger smartphone users.

For now, it’s worth viewing emoji domains with some cynicism. When in doubt, go for the traditional URL (if available) or avoid them altogether. If they continue to be a threat, we’ll put out further updates on emoji phishing campaigns in the near future.

Article Link: