WhatsApp scams and the use of internationalised domain names

There has recently been widespread reporting of scams that are circulating in the UK on the WhatsApp messaging platform, an example of which can be seen on BBC News [1]. And while the scam itself has been seen as fairly routine, the interesting feature of these messages was the use of so-called ‘international’ domain names.

In the image below it’s possible to see the small bar across the letter d of Asda (officially a ‘d with stroke’). At a glance, however, it’s easy to miss or assume it’s an error.

This isn’t the first time the technique has been used. Indeed, our own Red Team and phishing simulations utilise it when necessary. However, given the large number of people who fell for this scam, it’s worth pausing to consider the potential risks and what can be done to mitigate them.

How does this work?

The system which converts a name like nccgroup.com into a corresponding server address only supports a small set of characters, primarily relating to English languages. Originally, it wasn’t possible to represent letters with diacritics (like an accent) or characters from other alphabets such as Chinese, Greek, Cyrillic or Hebrew. Historically, this limited internet users to anglicised representations of brand names or everyday words.

But this changed in the early 2000s, when new standards for Internationalised Domain Names (IDN) emerged. Support was introduced for additional alphabets, improving language compatibility but also enabling potential abuse from similar looking names.

Those curious about the technical details can read a good primer from the Unicode Consortium [2]. There’s even a list of confusables [3] (those characters which look similar to others) and a useful tool to see which characters could be substituted for a word or brand name. When using the tool it’s best to restrict the available characters to IDNA2003 or IDNA2008, which represent the legal characters in an international domain.

How can I protect my brand?

It’s clear this technique works. If you were asked to click on a link to nccgᴦoup.com rather than nccgroup.com, would you notice the difference?

We see our clients affected by phishing, CEO scams and invoice fraud on a regular basis. It’s all too easy for a criminal to purchase a domain such as nccgᴦoup.com or mail-nccgroup.com to conduct their activity.

Our Domain Intelligence platform [3] is designed to detect these purchases, giving your IT or security teams the necessary information to react quickly and minimise any potential harm. Crucially, the platform was designed from the outset with support for both Internationalised Domain Names and typo-squatting (for example ncccgroup.com).

What if I’ve suffered this kind of abuse?

It’s important to act quickly, investigating whether abuse has occurred and the potential business impact.

Have staff seen phishing attempts or clicked on links? Did customers or suppliers receive emails pretending to be from your organisation? Does any of the technical evidence show a history of similar abuse? Piecing together these answers can help to understand what an appropriate response should be.

It’s also good to be proactive, liaising with hosting companies, domain registrars and other service providers to take down the domain. From our experience, we know that it’s not possible to rely on all companies to act responsibly and many will conduct the bare minimum checks or have overworked abuse teams. Where required, our consultants can assist with domain takedowns.

Conclusion

For as little as 99 pence, a scammer can register a legitimate looking name and conduct fraudulent activity, perhaps gaining tens of thousands of pounds in the process. We believe an effective defence involves actively monitoring these risks and taking action early when potential abuse is detected.

If you are interested in our Domain Intelligence or Domain Takedown services, you can enquire by contacting response@nccgroup.trust or clicking the contact button below.

Contact Us


References

[1] http://www.bbc.co.uk/news/uk-41900814

[2] http://unicode.org/faq/idn.html#6

[3] http://unicode.org/cldr/utility/confusables.jsp

[4] https://www.nccgroup.trust/uk/our-services/cyber-security/products-and-cloud-services/domain-intelligence/

Published date:  09 November 2017

Written by:  David Cannings

comments powered by Disqus

Filter By Service

Filter By Date