Criminals are using Cyrillic characters to fool and defraud the unsuspecting, read on to spot and avoid this dangerous tactic.
These two links have similar characters, except that the character "b" is replaced with an Cyrillic character "Ь" in the second link.
https://some-bank.co.uk and https://some-Ьank.co.uk
It's easy to miss the difference if you're not looking carefully.
An HTML page or email will hide the link from you, so you might not see the character at all, it will typically be encoded like this:
<a href="https://some-Ьank.co.uk">https://some-bank.co.uk</a>
When might you encounter a suspicious link like this?
Looking at a website using your desktop browser
Most readers will know that in a modern browser you can hover over a link to see what’s underneath.
You’ll see something like "xn--some-ank-dfh.co.uk" which is great, the browser shows something you're not expecting, so you know you haven't' been caught out.
More advanced readers might think to inspect the page.
Well actually, you can still get caught out here, because hovering over the link in the inspector does not highlight the issue (in the latest version of Microsoft Edge).
Looking at an email in Outlook on Windows
I was disappointed to see that the Outlook app does not warn of this issue (we sent the link through as plain text). I can hardly spot the character in this example, it was only when I clicked on it that I saw the suspicious URL.
I also tried "the new Outlook" and it didn't perform much better.
Looking at a website using your mobile phone
On the latest version of iOS on the Safari browser you can't hover in the same way as a desktop. Instead you can try long-pressing a link. Unfortunately, the first time you do this you'll see a preview straight away. This loads the page on your device, which could expose your IP address or show unwanted material.
To stop this from happening you can click "Hide Preview" on a safe link, which will prevent future clicks from automatically previewing pages.
Looking at a link in Google Chat on your iPhone
Clicking a link on Google Chat's mobile app, will likely ask you what app to open the link in (depending on settings).
Long pressing just copies the link.
So its easy to get caught out even from messages in a trusted environment.
Its not just links, email addresses themselves can contain the characters too, e.g. email@some-Ьank.co.uk.
Whilst I expect that most readers will have seen this type of warning before, please don't think that you're safe just because you know how to hover over a link in your browser. Attacks involving Cyrillic characters can come in your web pages, in mobile apps, in emails, in chats or even in custom software.
Looking for a trusted partner to create secure, reliable software? Get in touch with the our team today and let’s talk about how we can help bring your next project to life.