3 min read

New Homograph Phishing Attack Impersonates Bank of Valletta, Leverages Valid TLS Certificate

Liviu ARSENE

August 07, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New Homograph Phishing Attack Impersonates Bank of Valletta, Leverages Valid TLS Certificate

Bitdefender researchers recently uncovered a new IDN (internationalized domain name) homograph phishing attack in which attackers impersonate the Bank of Valletta, Malta. Bitdefender’s Deep Learning technologies, trained specifically to spot this type of homograph attack, quickly flagged the website for phishing. They triggered an investigation from our teams to better understand the mechanics behind it.

Key findings:

  • Homograph phishing attack targeting a bank
  • Uses a valid TLS certificate to generate trust
  • Displays a Microsoft Account popup to harvest credentials

Quality Phishing

IDN homograph attacks are not new. They use characters that look almost the same, such as the Greek Ο, the Latin O, and the Cyrillic О, but have a very different Unicode value. For example, while “bankofamerica.com” might closely resemble “bankofamericà.com” to the untrained eye, the second has a Latin small letter “a” with grave. This means attackers can register similar-looking domains in which some letters have been replaced by homographs in another alphabet.

The Bank of Valletta phishing website seems to be an accurate knockoff of the legitimate website, at least when opening the main page. Shortly afterwards, users are prompted with what appears to be a Microsoft dialog box asking for a username and password to access a restricted area. While this is clearly not something the legitimate website displays, it seems attackers are using this dialog box to potentially collect Microsoft Account credentials from Bank of Valletta website visitors.

Fig. 1 – Microsoft Account Dialog Box displayed by the phishing website

After clicking “OK”, users are left with a seemingly legitimate website, unless they start clicking through links and menus. Once users decide to leave the home page, a message saying “Testing Underway…” is soon displayed, preventing users from ever reaching any other content apart from the content displayed on the phishing home page.

Fig. 2 – Phishing website message with “Testing Underway…”

Interestingly, the phishing domain also bears a valid digital certificate issued by Let’s Encrypt that seems to be valid until October 1st 2019. The CA (Certificate Authority) authority usually issues free certificates that are valid for a limited time, usually around 90 days, indicating that these scammers want to seem legitimate without investing too much or giving away any information that can be traced back to them.

Adding a valid certificate to a domain is also a good way to eliminate any security warning displayed by browsers when visiting unencrypted websites or to trick less-tech-savvy users into believing the website is indeed legitimate. Abusing a legitimate CA (Certificate Authority) and using a legitimate certificate to run a phishing website may suggest that attackers could be aiming for a qualitative attack rather than a quantitative one.

Fig 3. Valid digital certificate for phishing website

While the valid certificate might expire in 90 days, this may be enough time for attackers to test and plan their spear phishing attack before they get reported.

When searching for domains related to the one found in the certificate, our team found four others that share the same homograph attack scheme:

DNS Name: bank0fvalletta.com

DNS Name: www.xn--bv-2ya.com

DNS Name: xn--bv-2ya.com

DNS Name: xn--ov-blb.com

Conclusions and Recommendations

What makes this phishing website interesting is that its domain name is perfectly similar to that of the legitimate bank – users might dismiss the grave on top of the “ơ” as a smudge on their screen.

The use of valid certificates is yet another interesting aspect not usually associated with mass phishing campaigns. This might suggest that attackers are narrowing down their victim pool to a handful of “candidates”, potentially to hijack their Microsoft Accounts.

To steer clear of these types of attacks, users are strongly encouraged to install a security solution that can look beyond the telltale signs of a phishing website and prevent them from accessing fraudulent, phishing, or malicious websites. It’s also recommended to exercise caution when clicking on URLs – even though they might seem legitimate – and submitting data that could be considered critical.

tags


Author



Right now

Top posts

Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read
Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer Poking Holes in Crypto-Wallets: A Short Analysis of BHUNT Stealer
Bitdefender

January 19, 2022

2 min read