The RLO technique is a simple technique that disguises malicious files making them seem like simple text files. When downloaded by the user, these files could damage their device or could be used to acquire sensitive information. Although this technique became outdated, recently, attackers started using it again as people lowered their guard against cyber attacks.

The Right-to-Left Technique

The RLO technique was prevalent during the nineties, and early 2000’s when cyber security was not as advanced as it currently is. With the help of this technique, attackers used a simple method to make the users download malicious files that could then be used to extract any information that the attacker wanted to acquire.

The technique utilizes a non-printing Unicode character to change the display name of a file. The RLO Unicode character U+202e reverses the text that comes after it so that it is displayed in a right-to-left format. For instance, if the file name is “filetxt.exe” it can be changed to “fileexe.txt” if the code is written as “fileU+202txt.exe”. Thus, the attackers would disguise malicious “.exe” files as “.txt” files. These files that seemed like simple text files would lead the victim to lower their guard as they would think of them as simple text files and download them. Once downloaded, these files would work as designed by the attacker.


The Phishing Impact on Users

The RLO technique had earlier led to significant losses for many users who were not aware of the technique and were not careful about the kind of files they were downloading. However, with increased awareness and technological advancements, users have become more aware of these attacks, and the number of victims eventually decreased, leading to the RLO technique going out of practice.

However, the attackers have revived this technique with a few alterations. Vade, a security vendor, stated that there were more than 400 cases of attacks that followed the RLO pattern made within a small span of two weeks.

Users of Microsoft 365 reported receiving email notifications that supposedly had an audio attachment with “.mp3” or “.wav” extensions. When they clicked on the attachment to download it, it took them to a page asking for their credentials to listen to the file. Thus, although these files themselves do not consist of malware but instead lead to a landing page that records the data that the user enters on the page, it was not easy to detect them. Many security systems could also not easily detect these files as the new systems are built to check IP and familiar malware signatures.


Similar Phishing Tactics

The RLO technique is not the only Unicode technique that has been used to victimize end users. The “Trojan Source” method was also a Unicode technique that attackers utilized where over 51% of the reported cases were due to this. This technique also disguises the malware file into a more benign-looking file that is then sent to end-users. Once the file is clicked on, the malware is downloaded and starts its work like a trojan file. These attacks were not only harming the one who downloaded the file but also the supply chain that the user was attached to, thus posing a more significant threat.

Renaming system utilities was another type of mechanism that attackers used. This method allowed the users to rename system utilities and make dangerous files look inconspicuous so that people would enter the required data. For instance, a “.vps” file could be disguised as a “.txt” file to avoid detection.


How to Steer Clear of Such Phishing Attempts

With an increase in the recent phishing attacks and seeing how easy it was to receive the data of over 400 people, according to Vade, there seems to be a need for an increase in vigilance in regards to cyber security. Although many advanced tools and firewalls can protect the data from being stolen, it is still pertinent to increase awareness levels about data protection. The following tips provided by Microsoft can go a long way in keeping malicious actors at bay:

  • Keep your passwords well protected: Keeping passwords protected does not end at the creation of a strong password that cannot easily be cracked. You must implement multi-factor authentication (MFA) wherever the option is available.
  • Beware of unusual links and attachments: Do not open suspicious attachments unless they come from a reliable and well-known source. Also, refrain from entering any sensitive details, such as your account passwords or banking information, on any site.
  • Responsible browsing: Be careful what kind of websites you open while browsing the internet. Sometimes you may come across illicit websites. Refrain from clicking on notifications and downloads from such websites as they may end up downloading malware or ransomware on your device.


Final Words

Phishing attacks have been here for decades and have only gotten more sophisticated over time as threat actors also have advanced and have a multitude of resources at their disposal. One cannot anticipate the next phishing campaign threat actors may be planning to revive. Hence, to keep ahead of them, you must have anti-phishing systems in place, especially when you run a small business, as a single employee mistake could end up with malicious actors infiltrating your information assets and stealing confidential business information.