3 min read

Homoglyph domains used in BEC scams shut down by Microsoft

Graham CLULEY

July 22, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Homoglyph domains used in BEC scams shut down by Microsoft

17 domains used in Business Email Compromise (BEC) scams have been seized by Microsoft's Digital Crimes Unit (DCU), following an investigation by the software giant into attacks that could have stolen millions of dollars from innocent firms.

The "homoglyph" domains impersonated domains used by legitimate businesses, and were used in attempts to defraud Microsoft Office 365 customers.

Homoglyph domains exploit the fact that many different characters look identical or very similar.

For instance, the capital letter "O" and the number "0" (eg. MICROSOFT.COM vs MICR0S0FT.COM) or an uppercase ninth letter of the alphabet “I” and a lowercase 12th letter “l” (eg. MICROSOFT.COM vs. MlCROSOFT.COM).

In the past, homoglyph attacks have also taken advantage of domains which contain Unicode characters (rather than conventional ASCII), allowing users to mistake - for instance - the Cyrillic "а" (U+0430) the ASCII character "a" (U+0061).  They may look the same but they are different characters!

In a blog post, Microsoft said that it continued to see homoglyph domains used in BEC scams, nation state activity, and the distribution of malware and ransomware.

As Microsoft explains in legal documents, attacks often combined with phishing attacks to steal credentials and break into the accounts of customers:

Credentials are most typically stolen through an attacker sending a “phishing” email to the victim that contains a link to a malicious website used to socially engineer victims into divulging their account login credentials.  Attackers accomplish this by using email domains chosen to impersonate trusted domains or appear otherwise legitimate, and malicious websites set up to impersonate legitimate Microsoft login pages (e.g., using trademark/copyright infringing images to spoof a legitimate Microsoft landing page).  The attackers’ goal is to deceive targeted victims such that they visit the malicious site and enter their Office 365 account credentials into a counterfeit login page, and those credentials are then captured for subsequent use by an attacker.  These types of malicious attacks persist despite the fact that Microsoft encourages all its customers to use certain precautions to protect account credentials such as enabling two factor authentication.

Microsoft says that its latest investigation began after a customer complained about a BEC attack that used a homoglyph domain in an attempt to trick the victim into transferring funds into a bank account controlled by cybercriminals.

In the example given by Microsoft, fraudsters came across a legitimate email at the compromised account of an Office 365 customer which referred to payment issues and requested advice on how to process payments.

The criminals seized the opportunity to send a bogus email - using a homoglyph domain nearly identical to the legitimate one, and the same sender name - which directed the victim to urgently transfer funds into a bank account under the control of the attackers.

According to Microsoft, the scammers are believed to operate out of West Africa, and are primarily targeting small businesses in North America.

Microsoft successfully won a judgement at the Eastern District of Virginia for the third-party domain registrars to disable the malicious domains it had uncovered, foiling the future plans of scammers to so easily impersonate employees of legitimate businesses and commit fraud.

Homoglyph attacks are not just useful for BEC scammers, but can also be used in all manner of other frauds - including phishing attacks.

"We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks," said Microsoft.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read
Riot Games Compromised in Social Engineering Attack, Suspends All New Releases Riot Games Compromised in Social Engineering Attack, Suspends All New Releases
Silviu STAHIE

January 23, 2023

1 min read
Criminals Access More than 30,000 PayPal Accounts Criminals Access More than 30,000 PayPal Accounts
Silviu STAHIE

January 20, 2023

1 min read