If you’ve ever taken phishing awareness training, you’ve most likely been taught to identify domain name spoofing. Domain name spoofing is a phishing tactic where an attacker sends you an email from one domain, the attacker’s domain, that looks almost identical to another domain, a domain you trust.
The idea is that if the recipient of the email looks at the email address quickly, they may not notice the slight difference. Here’s an example of an email from a lady named Beth at Google: email@example.com. Or is it? No, it’s a domain name spoof spelling Google with three Os.
Now, if you had phishing awareness training and you had your defenses up, there’s no way you’d be fooled by a domain name spoof like that. But, what if you received an email like this: beth@goоgle.com? Undoubtedly your defenses would be lowered. Congratulations, you just got phished with a domain name spoof. How is that possible?
It’s called a homograph phishing attack and it’s virtually impossible for users to spot on their own. How does a homograph phishing attack work? It exploits the fact that many different characters look alike. Those identical looking characters are called homographs. The problem is with how the characters are encoded using something called Unicode.
According to Wikipedia, “Unicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek Ο, Latin O, and Cyrillic О were not assigned the same code. So, the Latin “o” and the Cyrillic “o” have a different Unicode and are therefore different letters.” It also means domains with those two different Os are two different domains. And what you didn’t realize until just now, is that the second “o” in Google in the email you received from Beth is a Cyrillic “o”. So, it did not in fact come from someone at Google, the search engine people.
Domains using non-Latin letters are referred to as internationalized domain names (IDN) and are used quite frequently in homograph phishing attacks. Just last week a homograph phishing attack was used to domain spoof the Bank of Valletta in Malta. What made it even harder to spot is that the email used a valid TLS certificate in the pop up window. That means it used the HTTPS protocol, which is supposed to convey safety.
The homograph phishing attack is the perfect countermeasure to phishing awareness training. No matter how much training you’ve had and no matter how sensitive you are to phishing clues, there’s no way you can spot homograph phishing attack without the aid of technology.
The reason anti-phishing technology doesn’t get fooled by homograph attacks is that it doesn’t really care what the domain name looks like or what letters it contains or from what alphabets. Anti-phishing technology, with real-time link click protection, simply follows the link in the email to the website and inspects it to see if it’s legit or fake. And if it’s fake, then it’s a phishing email, no matter what the link look like.
When you’re ready to concede that phishing awareness training is no match for homograph phishing attacks, head on over to PhishProtection.com with Advanced Threat Defense and get yourself protected from homograph attacks and every other kind of phishing attack. Try it free for 30 days.