The RTLO (or RLO) technique is one of the cybercriminals’ oldest and most common techniques. With the help of this technique, they can make a hyperlink look less suspicious, making you think that it is safe to click on it. However, once you click on the link, it might take you to the attacker’s domain that might ask you for confidential information under a suspicious ruse or download suspicious software on your local device.
Recently, cyber attackers have started sending these strategically designed hyperlinks over social networking platforms such as Whatsapp and Signal that can harm your information stored on your device or even on the Cloud. These attacks include smishing (SMS phishing), social attacks, and vishing which have seen a rise of over 74%.
The RTLO or right-to-left-override is a method used by software to write languages from right to left, such as Arabic. For instance, you start writing a word in left-to-right order in English. However, in Arabic and Hebrew, the term starts from the right side. Thus, while you may write s-o-c-i-a-l in the left-to-right technique, in the right-to-left procedure, you will have to register it as l-a-i-c-o-s.
Windows was initially constructed to enable people to write in different languages. It soon gained popularity with users and was used widely to help anyone who wanted to write in another language. However, even though this technique was invented for developmental reasons, it didn’t take long for cybercriminals to realize how they could take advantage of it and profit from it.
Cybercrimes with RTLO
The RTLO technique is being used for spoofing purposes in the cybercrime domain. By spoofing, the attacker assumes the identity of another, an organization, or a website domain. With the help of the RTLO technique, the attacker can create a hyperlink that looks legit, but it can lead you to a fraudulent domain that might belong to the criminal. RTLO can also make suspicious files and attachments look like ordinary files.
The RTLO method utilizes a Unicode character that can change the appearance of a hyperlink or the display name of a file. The Unicode character U+202e is used to reverse the letters that come after it. For instance, a link can look like “bluexe.txt” but might be “bluetxt.exe” when U+202e is inserted after “blu.” Hence, it may be written as “bluU+202etxt.exe” where the file is a .exe type, but it will be displayed as “bluexe.txt” where the file will look like a .txt file. When the file is displayed as .txt, many people consider it harmless and download it. However, these files might be malware like Trojans that can self-download other items and risk your security.
Social Network and RTLO Phishing
While RTLO is a technique used in the late 90s and early 2000s, it is beneficial for cyber attackers who need to disguise themselves to attack their target. Hence, recently, the RTLO technique was revived to carry out phishing scams on social networking sites such as Facebook Messenger, iMessage, Instagram, and Whatsapp. These applications lead to an increase in the recent rise of smishing and vishing attacks making phishing one of the most common cybercrimes.
WIth the RTLO technique, the attackers send hyperlinks to their targets via a message. These hyperlinks might look like they belong to renowned organizations such as Google, but they might be links for malware and attacker-operated domains. Once you accidentally click on such hyperlinks, you will be directed to a domain that might look real but might ask for your personal information, such as your account password. Recently messages such as “your account has been hacked” or “your account has been compromised, confirm your password” have been on the rise. These messages are followed by hyperlinks that look like “google.com/%hjfd%kjb/buubledrop.com” and can direct you to suspicious sites. These hyperlinks are created by inserting the Unicode character U+202e between google.com and buubledrop.com. When the character U+202e is inserted between two hyperlinks, it may be displayed as something similar to %hjfd%kjb.
Hence, when the attacker frames it as “buubledrop.com/U+202e/google.com” it may be displayed as “google.com/%hjfd%kjb/buubledrop.com.” You can often identify such links by hovering over them. The first part of such a link will direct you to a different website, while the second part will have another type of address. For instance, if you hover over or long-press on a link such as “google.com/%hjfd%kjb/buubledrop.com” the first part might take you to google.com while the second part will direct you to buubledrop.com. As such, it can be easy to identify such links.
Prevention and Protection
Although the attackers can use clever techniques to carry out phishing scams that can damage your information assets, privacy, and even financial assets, it can be easy to identify these malicious links and avoid falling prey to such schemes. This is how you can get phishing prevention from these scams:
Pay attention to the sender of messages: If you pay attention to the sender of the email, message, or hyperlink, you will be able to avoid threats. If you are receiving messages from unknown numbers that you cannot verify, it is better to block and report them instead of clicking on the links sent by them. According to Kaspersky, the attackers may send you messages that might ask for your bank details. In such cases, you must report them immediately since no real organizations or merchants ask for confidential bank details.
Message content: You can also learn about the message’s validity from the message content itself. You can pay attention to the validity of the message and the kind of message it is trying to convey. If it seems someone from an unknown address is informing you about the vulnerabilities to your account, it is better not to trust them at face value. Do not panic and click on the links delivered by them unless you have verified the validity of their words.
Use the website directly instead of clicking on the suspicious link: If you feel that the message’s content is something you should click on once, visit the website directly instead of clicking on a hyperlink sent to you by an unknown number. If you are afraid that your account might be compromised, it might be better to check by visiting the website directly. Doing so can prevent you from clicking on links disguised by RTLO that might look real but are a part of a phishing scam.
With threat actors reviving older techniques such as RTLO to lure you into giving away confidential information or installing malware on your devices, you must be adequately equipped to handle such threats. It is even more crucial when you’re running a business, as a mere wrong click by an unsuspecting employee could end up jeopardizing your entire online business operation! Thus, take pertinent precautions such as anti-phishing tools to keep malicious actors at bay.