New Tricks To Avoid Detection By Counter-Phishing Technologies
Phishing is a techno-social engineering evil where cybercriminals gather private, sensitive information from the victim himself by masquerading as a trusted website. The masqueraded site could be of government (such as income tax department) or banking site. However, in corporate espionage cases, it could be any other site to steal credentials for access to sensitive corporate data/ information.
In most of the cases, the initial communication is through an email message or SMS or even Whatsapp message. Once the victim is lured or instigated to click on the malicious link, she is lead to a masqueraded webpage which is a lookalike (say) of Bank's webpage. Once the user fills in her credentials are used to access her bank account to exfiltrate the funds. To overcome these phishing messages and web pages appropriate counter technology is now evolved to warn the victim that she is at phishing message or webpage.
Counter- phishing automated systems look for bank name/ some phrases which are generally used by phishing e-mail or webpage. Even some web-browsers also have these built-in capabilities. The cybercriminals are now developing a new approach to beat the counter- phishing measure.
One of the approaches used by phishing criminals is to use a non-English alphabet which is lookalike English alphabet. Let's see some examples. They use à or ā or á in place of English alphabet ‘a’; é or è or ė ē in place of English alphabet ‘e’. Thus on screen, hdfcbank..com may look like hdfćbàñk..com. To humans, they both look same, but to an automated system, they are very different hence no warning is raised.
Another approach is to use custom fonts. Any UTF Code can be represented by any font (vector image of the alphabet). For example, UTF Code for alphabet ‘c’ is U+0063, but its representation on screen could well be ‘H’. Therefore, what machine sees and what a human sees are different. The Phishing criminals exploit this gap. Hence a phishing message is readable by humans, but machines see garbage.
The third approach is related to image/ Logo recognition. If phishing criminals use the logo of the bank, the counter phishing systems can identify it and block such communication. Therefore the cybercriminals have started rendering scalable vector graphics, where the image is not the part of the message but rendered by fetching from even original banking site.
The solutions to all three above problem are simple. Do not “Click” to go to your bank website, not even from the browser bookmark. Always type the full bank web address yourself. You may use a word file or Excel file to copy- paste these web page names but please do not forget to “Remove Hyperlink” which generally gets created automatically.