Criminals are using Cyrillic characters to fool and defraud the unsuspecting, read on to spot and avoid this dangerous tactic.
These two links have similar characters, except that the character "b" is replaced with an Cyrillic character "Ь" in the second link.
https://some-bank.co.uk and https://some-Ьank.co.uk
It's easy to miss the difference if you're not looking carefully.
An HTML page or email will hide the link from you, so you might not see the character at all, it will typically be encoded like this:
<a href="https://some-Ьank.co.uk">https://some-bank.co.uk</a>
When might you encounter a suspicious link like this?
Looking at a website using your desktop browser
Most readers will know that in a modern browser you can hover over a link to see what’s underneath.
You’ll see something like "xn--some-ank-dfh.co.uk" which is great, the browser shows something you're not expecting, so you know you haven't' been caught out.
More advanced readers might think to inspect the page.
Well actually, you can still get caught out here, because hovering over the link in the inspector does not highlight the issue (in the latest version of Microsoft Edge).
Looking at an email in Outlook on Windows
I was disappointed to see that the Outlook app does not warn of this issue (we sent the link through as plain text). I can hardly spot the character in this example, it was only when I clicked on it that I saw the suspicious URL.
I also tried "the new Outlook" and it didn't perform much better.
Looking at a website using your mobile phone
On the latest version of iOS on the Safari browser you can't hover in the same way as a desktop. Instead you can try long-pressing a link. Unfortunately, the first time you do this you'll see a preview straight away. This loads the page on your device, which could expose your IP address or show unwanted material.
To stop this from happening you can click "Hide Preview" on a safe link, which will prevent future clicks from automatically previewing pages.
Looking at a link in Google Chat on your iPhone
Clicking a link on Google Chat's mobile app, will likely ask you what app to open the link in (depending on settings).
Long pressing just copies the link.
So its easy to get caught out even from messages in a trusted environment.
Its not just links and files, email addresses themselves can contain the characters too, e.g. email@some-Ьank.co.uk.
Looking at your filesystem
If an attacker can place an executable on your system, they've already gained a foothold. One common goal after that is to monitor your activity. Windows will happily run files placed on the filesystem, so if you install a banking app and exclude its folder from antivirus, a malicious program with the "same name" placed beside it can keep running unnoticed, which can make quiet monitoring or stealthy data capture easier for the attacker.
Don't Domain Registrars block these URLs?
Some domain registrars do attempt to block lookalike URLs, for example, trying to register https://some-Ьank.co.uk on 123reg will fail. However, we are aware of specific lookalike URLs that could be registered.
Further on the client side, DNS settings can be managed centrally by your IT department or adjusted on individual machines. I was particularly impressed that Microsoft Edge displayed a warning when I manually modified my hosts file.
I wasn't impressed with Firefox
However, that’s exactly the point of this post, most readers have probably seen this type of warning before. Don’t assume you’re safe just because you know how to hover over a link or because a registrar might block lookalike domains.
Attacks using Cyrillic characters (or just similarly named domains) can appear anywhere: on web pages, in mobile apps, in emails, in chats, or even in custom software.
Looking for a trusted partner to create secure, reliable software? Get in touch with the our team today and let’s talk about how we can help bring your next project to life.