A recent report by the website KrebsOnSecurity shined a light on a couple of scams that are making the rounds and using domain names as a primary means of confusing users/victims.
The scams identified in the report show that the following domains are being used as part of elaborate phishing scams:
- ushank[.]com – for going after U.S. Bank customers.
- Login2.ẹmirạtesnbd[.]com – for Emirates NBD Bank in Dubai
- Cliẹntșchwab[.]com – looks like a login page for Charles Schwab clients
- Singlepoint.ụșbamk[.]com – phishing domain for U.S. Bank customers.
Further, if you look carefully at the last 3 domains above you can see that the domains are using non-Latin based letter called “punycode” to fool victims into visiting these websites because the punycode is really tough to see unless you are paying attention. Specifically, punycode is an internet standard that allows web browsers to render domain names with non-Latin alphabets. Let’s take a closer look.
For example:
Login2.ẹmirạtesnbd[.]com
The “e” and the “a” in “emirates” above are actually part of the alphabet of the Yoruba language which is spoken in Nigeria, and use the Latin alphabet with additional diacritic marks to represent specific sounds. The word café, for example, includes a diacritic mark that tells you to pronounce that last e as “ay.” The letter “ẹ” with a dot below it represents a nasalized version of the letter “e”, while “ạ” with a dot below it represents a low tone version of the letter “a”. These letters are not officially recognized by ICANN but they can be used to register a fraudulent domain name and confuse people.
This represents an intriguing development in phishing software attacks and the use of modified domain names to confuse users.
