The rise of the homograph attack: Can you spot a fake email?

Agari’s Chief Scientist talks about the rise of the homographs in phishing attacks

This is a contributed piece by Markus Jakobsson, Chief Scientist at Agari

Email security advice for end users typically tells them to look for obvious, tell-tale signs that something about an email isn’t ‘right’, such as a slightly misspelt sender name or unusual domain name. However, even the most eagle-eyed user will be tricked by a malicious email that is visually identical to the real thing.

This is the challenge set by the homograph attack, a technique used by attackers that replicates legitimate domains by replacing characters with look-alikes that are indistinguishable to the human eye.

A basic example would be replacing a lowercase “l” with an uppercase “I”, although this is not quite impossible to detect – just kind of difficult. Crafty homograph attacks circumvent traditional security technologies by using characters that look identical to those they want to “impersonate”. Most homograph attacks use other alphabets with characters that look just like characters in the Latin alphabet, but which are different to the computer. Cyrillic is one of the most popular choices because it shares several visually identical letters with the Latin alphabet, including A, C, M, O and T, giving attackers huge scope to impersonate names, brands and authorities.

While this attack method has recently resurfaced for deceptive URLs and domain names, homographs naturally have a lot of utility for email-based identity deception in general. They easily fool the most vigilant end users while circumventing the majority of technology-based email defences.

Homograph techniques can also be used within the body of an email to disguise keywords that content scanners are programmed to detect as potentially risky. For example, many email providers scan messages for the use of the word “password” since this is commonly used in malicious emails, and if detected, those messages are treated differently. But if “password” is written with a Cyrillic “о” character, it will no longer match the watch list and will slip through the filter. This is what happened in the now-infamous John Podesta email attack.


Detecting the deception

The ultimate aim of email security should be to leave nothing for the end user to worry about or second guess. Security filters should take care of threats before they ever reach the target’s inbox.

This can be a challenge, however, as filters clearly can’t block non-Latin character sets. They also can’t create a blanket ban of all mixed character sets, as there are many legitimate uses of these, as several languages, such as Japanese and Korean, legitimately mix in Latin characters.

Instead, a filter can detect a mixed character set and flag it as potentially dangerous. Any email that is flagged can be carefully processed, where “confusables” are mapped to the characters they look like before the email is scanned again.

The best way to protect end users from being tricked by homographs is to use enhanced email content scanning combined with identity authentication technology to prevent malicious emails from ever reaching users’ inboxes.  Messages received from a sender who isn’t an established, trustworthy source will undergo heightened security filters. These filters can escalate scrutiny of high-risk emails, including those with mixed character sets. It’s then possible to perform a mapping that can automatically determine what the content would look like to the end user - for example treating a character that looks like an O as an O. Filters can then be applied as normal to identify key words.

It is also possible to detect warning signs outside of the content itself. For example, if a domain was registered less than three days ago, there’s a strong chance the message will not be from a legitimate sender - independent of whether the domain uses any confusable characters. 


Homographs on the rise?

The good news is that homograph attacks are still rare, and we’ve primarily seen them in the most sophisticated attacks from nation state actors. No effort was spared in the attacks that targeted Podesta and others in the Clinton campaign for example, where homograph techniques were combined with several other advanced email attack methods. Similarly, the attacks on the Florida-based voting systems vendor were pulling out all the stops. Most enterprises do not yet face attacks of this sophistication. But this may soon change, as more cyber criminals begin to copycat these successful attacks techniques.

While homograph email attacks aren’t widely used yet, companies should not be complacent about the risks - particularly those operating in high-risk areas such as finance, where criminals will consider the potential payday worth the extra effort. Rather than being caught playing catch up, all organisations should ensure they protect themselves with identity-based security measures that will shut down fraud attempts before they make it to their users’ inboxes.