3 min read

Homoglyph domains used in BEC scams shut down by Microsoft

Graham CLULEY

July 22, 2021

Homoglyph domains used in BEC scams shut down by Microsoft

17 domains used in Business Email Compromise (BEC) scams have been seized by Microsoft's Digital Crimes Unit (DCU), following an investigation by the software giant into attacks that could have stolen millions of dollars from innocent firms.

The "homoglyph" domains impersonated domains used by legitimate businesses, and were used in attempts to defraud Microsoft Office 365 customers.

Homoglyph domains exploit the fact that many different characters look identical or very similar.

For instance, the capital letter "O" and the number "0" (eg. MICROSOFT.COM vs MICR0S0FT.COM) or an uppercase ninth letter of the alphabet “I” and a lowercase 12th letter “l” (eg. MICROSOFT.COM vs. MlCROSOFT.COM).

In the past, homoglyph attacks have also taken advantage of domains which contain Unicode characters (rather than conventional ASCII), allowing users to mistake - for instance - the Cyrillic "а" (U+0430) the ASCII character "a" (U+0061).  They may look the same but they are different characters!

In a blog post, Microsoft said that it continued to see homoglyph domains used in BEC scams, nation state activity, and the distribution of malware and ransomware.

As Microsoft explains in legal documents, attacks often combined with phishing attacks to steal credentials and break into the accounts of customers:

Credentials are most typically stolen through an attacker sending a “phishing” email to the victim that contains a link to a malicious website used to socially engineer victims into divulging their account login credentials.  Attackers accomplish this by using email domains chosen to impersonate trusted domains or appear otherwise legitimate, and malicious websites set up to impersonate legitimate Microsoft login pages (e.g., using trademark/copyright infringing images to spoof a legitimate Microsoft landing page).  The attackers’ goal is to deceive targeted victims such that they visit the malicious site and enter their Office 365 account credentials into a counterfeit login page, and those credentials are then captured for subsequent use by an attacker.  These types of malicious attacks persist despite the fact that Microsoft encourages all its customers to use certain precautions to protect account credentials such as enabling two factor authentication.

Microsoft says that its latest investigation began after a customer complained about a BEC attack that used a homoglyph domain in an attempt to trick the victim into transferring funds into a bank account controlled by cybercriminals.

In the example given by Microsoft, fraudsters came across a legitimate email at the compromised account of an Office 365 customer which referred to payment issues and requested advice on how to process payments.

The criminals seized the opportunity to send a bogus email - using a homoglyph domain nearly identical to the legitimate one, and the same sender name - which directed the victim to urgently transfer funds into a bank account under the control of the attackers.

According to Microsoft, the scammers are believed to operate out of West Africa, and are primarily targeting small businesses in North America.

Microsoft successfully won a judgement at the Eastern District of Virginia for the third-party domain registrars to disable the malicious domains it had uncovered, foiling the future plans of scammers to so easily impersonate employees of legitimate businesses and commit fraud.

Homoglyph attacks are not just useful for BEC scammers, but can also be used in all manner of other frauds - including phishing attacks.

"We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks," said Microsoft.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Prepares to Reset App Permissions on Billions of Devices Google Prepares to Reset App Permissions on Billions of Devices
Silviu STAHIE

September 20, 2021

1 min read
Sideloading Android Apps - Bane or Blessing for Android Users Sideloading Android Apps - Bane or Blessing for Android Users
Silviu STAHIE

September 20, 2021

2 min read
FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches
Silviu STAHIE

September 17, 2021

1 min read