An IDN homograph attack leveraging Adobe’s brand has been discovered, with the malicious site spreading the Betabot backdoor and ultimately infecting compromised machines with cryptocurrency-mining and data-stealing malware.
Attacks using internationalized domain name homographs rely on users falling for Unicode or ASCII characters that appear similar to Latin characters. Attackers host a malicious site and lure potential victims there, exposing them to exploits or malware downloads with the user none the wiser to the fact that the domain name is incorrect without a close inspection.
In this case, researcher Ankit Anubhav said the attackers have registered adoḅe[.]com (note the “b”) and are using it to spread a phony Flash Player download that instead serves up Beta Bot.
“It’s a good attempt. Someone took their time to set up a good fake,” Anubhav said.
Kaspersky Lab describes Beta Bot as a Trojan that first disables security software and denies users from accessing security websites. An attacker can also use it to remotely communicate with an infected machine and send through commands that steal data through form grabbers.
The site was registered with GoDaddy on Aug. 17, according to the site’s Whois record. The attacker also was successful registering the site as “Adobe Systems Incorporated.”
Anubhav disclosed the issue to Adobe in the hope he said that the software giant may act to have the site taken down since it’s impersonating their brand. A request for comment from Threatpost to Adobe was not returned in time for publication.
“This is not direct a security issue with Adobe, but someone is impersonating them to spread malware, something they won’t like,” Anubhav said.
Anubhav said an attacker could send a link to the malicious site and given that the URL would likely be underlined in an email or SMS, for example, it would obscure the mark under the Unicode “b.”
“If someone took this much pain, he must [be doing] it for targeted attacks and not for spam to send everyone,” Anubhav said.
IDN homograph attacks are not new. The issue surfaced most recently in April when Google patched a vulnerability in Chrome that would have made it easier to carry out phishing attacks using this method.
Xudong Zheng, a Chinese researcher, found the flaw that would trick Chrome into bringing victims to the malicious site without throwing up a browser warning. The victim could then be enticed into entering credentials or other personal information.
Zheng said that because of the way Punycode works, an attacker could register domains with foreign characters. This is what allowed his attack to defeat homograph protections native to browsers such as Chrome and Firefox.
“The homograph protection mechanism in Chrome, Firefox, and Opera unfortunately fails if every character is replaced with a similar character from a single foreign language,” Zheng wrote in his disclosure published April 14. “The domain ‘аррӏе.com,’ registered as ‘xn--80ak6aa92e.com,’ bypasses the filter by only using Cyrillic characters.”
Zheng said the Punycode vulnerability is present in Firefox as well, but Mozilla decided against fixing it.