Beware the Punycode
- By Stefan Hammond
- November 21, 2022
Security protocols are the boon and bane of every CDO's existence. In-house security teams insist on all sorts of inconvenient rules and regulations.
Users grumble. CSOs explain. In a seemingly never-ending spiral, rules and mandates tighten up rather than loosen.
Security professionals often seem like nagging aunties, but stakeholders need to understand that no matter what anyone thinks, security policies are essential defenses. The threats are real, and the people behind them are not benign.
Here's what you need to know: the bad guys never sleep. So while you're busy working on your quarterly projections, they're guzzling energy drinks and figuring out how to steal from you.
You already know never to click on embedded links in emails or text messages. And you also learn to scrutinize URLs for dodgy misspellings and other skullduggery.
But how scrupulous are your policies? Do you check meticulously for (just as an example) small and inconspicuous dots under any given URL?
In 2022, you need to know about the puny code.
ASCII malfeasance
ASCII is the standard that allows text-based communication. In the olden days — when JPEGs took hours to load over 300 baud modems — ASCII art was (and is) a way to transmit images, albeit in depictions reminiscent of typewriter art.
ASCII-encoded text remains the gold standard for global text communication. The character encoding standard (abbreviated from American Standard Code for Information Interchange) "uses ASCII codes that represent text in computers, telecommunications equipment, and other devices."
But it's an aging standard designed to transmit English and not much else. "Because of technical limitations of computer systems at the time it was invented, ASCII has just 128 code points, of which only 95 are § printable characters, which severely limited its scope," says Wikipedia. "All modern computer systems instead use Unicode, which has millions of code points, but the first 128 of these are the same as the ASCII set."
Unicode: a better mousetrap
Many languages feature accent marks: German has ümlauts, French its çedilla, and Spanish sets off syllables with úseful accents. Nowadays, we long-press on our touchscreens and swipe over to the appropriate letter without thinking about it — thanks to the Unicode standard.
"Unicode...is an information technology standard for the consistent encoding, representation, and handling of text expressed in most of the world's writing systems." The standard encompasses "161 modern and historic scripts, as well as symbols, emoji, and non-visual control and formatting codes."
The bad guys never sleep
Unicode has proven robust, and its "success at unifying character sets has led to its widespread and predominant use in the internationalization and localization of computer software," says Wikipedia. The standard has transcended the "limitations of traditional character encodings...Many [of which] share a common problem in that they allow bilingual computer processing (usually using Latin characters and the local script), but not multilingual computer processing (computer processing of arbitrary scripts mixed with each other)."
Spot the Difference
Unicode handles visual language elements like the aforementioned accent marks and also handles behind-the-scenes formatting.
But accent marks can be used to spoof domain names. It's a variant on the "[email protected]" spoof: instead of a dyslexic domain name, an accented letter can hide a dicey domain name.
The concept is simple and can be used for spear phishing.
Let's say a target is known to have a loyalty card or other ID registered with a vendor called "Big Server Farms." Said target might then hurriedly click on an unsolicited email from "support@bígserverfarms"...or so the bad guys hope.
Never has "Spot the Difference" been more useful. That tiny variation in the dotted "i" is critical. Ideally, users click on no links whatsoever, but this example isn't a mistake anyone wants to make.
And according to security researcher Brian Krebs, cybercriminals who call themselves the "Disneyland Team" have been using a Unicode variant named Punycode to spoof bank domain names.
Specks of dust
"A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic," writes Krebs. Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames.
Examining the misspellings the Disneyland Team uses is illustrative — they use Punycode for their phony bank domains to look more legit. For example, U.S. financial services firm Ameriprise might be spoofed "as ạmeriprisẹ[.]com...Look carefully, and you’ll notice small dots beneath the “a” and the second “e”. You could be forgiven if you mistook one or both of those dots for a speck of dust on your computer screen or mobile device," writes Krebs.
Defense strategies
Scrutinizing screens for dust specks may not be the best strategy against spear phishing. Instead, just say no to risky clicks.
Krebs has one more suggestion worth noting: "For many years, KrebsOnSecurity tracked the day-to-day activities of a similar malware crew that used web injects and bots to steal tens of millions of dollars from small- to mid-sized businesses across the United States."
"At the end of each story, I would close with a recommendation that anyone concerned about malware snarfing their banking information should strongly consider doing their online banking from a dedicated, security-hardened system which is only used for that purpose."
"Those stories also observed that since the vast majority of the malicious software used in cyberheists is designed to run only on Microsoft Windows computers, it made sense to pick a non-Windows computer for that dedicated banking system, such as a Mac or even a version of Linux. I still stand by this advice."
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IoT, payment gateways, robotics, and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/Dragon Claws