Researchers pointed out that hackers can use deceiving characters in services like Outlook, to fool and infect sensitive users of a particular organization. Though these attacks have a small scope, they’re highly targeted. Microsoft acknowledge this risk after Bitdefender’s report but didn’t push any update to safeguard users.
Misusing Characters For Deceiving People
Until the last decade, most of the internet applications we use were spread in general English with the Latin alphabet, which consisted of 26 characters that are easy to note. But with the internet expanding to more regions, several alphabets and characters from various local regions are being added to the mainstream content. With this expansion, the scope of homograph attacks has increased, says Bitdefender researchers. This is mere misusing of similar-looking characters to deceive users, which can help the threat actors to lure victims to offer them the data they want. For example, with the flexibility of using numbers in international domain names (IDN), threat actors can use “zero” in G00GLE, instead of the letter “o” in actual GOOGLE spelling. And domains made on these can potentially be used for deceiving others. Though the difference is slight, the attacks arising out of this are huge. Observing this, Bitdefender researchers have informed Microsoft that their office applications are vulnerable to such attacks, warning them to issue a patch for safeguarding against them. They explained that services like Outlook can be exploited to include malicious URLs with deceiving characters of a prominent organization and target them against a sensitive personality to lure them into something bad. The URLs in these attacks look so legitimate, but they can only be observed properly once loaded into a web browser – which most of the users skip doing. There are cases where loading a malicious link of such downloads malware automatically! Thus, warning against such incidents, Bitdefender researchers asked Microsoft to defend against homograph attacks. Though Redmond acknowledged it last year, it failed to push an update till now.