This document describes the use of homoglyph characters in advanced phishing attacks and how to be aware of these when using message and content filters on the Cisco Email Security Appliance (ESA).
Homoglyph Advanced Phishing Attacks
In advanced phishing attacks today, phishing emails may contain homogyph characters. A homoglyph is a text character with shapes that are near identical or similar to each other. There may be URLs embedded in phising emails that will not be blocked by message or content filters configured on the ESA.
An example scenario may be as follows: Customer wants to block an email that had contains the URL of www.pɑypal.com. In order to do so, an inbound content filter is written that will looking for the URL containing www.paypal.com. The action of this content filter would be configured to drop and notify.
Customer received example of an email containing: www.pɑypal.com
Content filter as configured contains: www.paypal.com
If you take a look at the actual URL via DNS you will notice they resolve differently:
;; ANSWER SECTION: www.paypal.com. 279 IN CNAME www.paypal.com.akadns.net. www.paypal.com.akadns.net. 9 IN CNAME ppdirect.paypal.com.akadns.net. ppdirect.paypal.com.akadns.net. 279 IN CNAME wlb.paypal.com.akadns.net. wlb.paypal.com.akadns.net. 9 IN CNAME www.paypal.com.edgekey.net. www.paypal.com.edgekey.net. 330 IN CNAME e6166.a.akamaiedge.net. e6166.a.akamaiedge.net. 20 IN A 220.127.116.11
;; AUTHORITY SECTION: a.akamaiedge.net. 878 IN NS n5a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n7a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n2a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n0a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n1a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n4a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n6a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n3a.akamaiedge.net.
;; ADDITIONAL SECTION: n0a.akamaiedge.net. 383 IN A 18.104.22.168 n1a.akamaiedge.net. 3142 IN A 22.214.171.124 n2a.akamaiedge.net. 6697 IN A 126.96.36.199 n3a.akamaiedge.net. 31 IN A 188.8.131.52 n4a.akamaiedge.net. 168 IN A 184.108.40.206 n5a.akamaiedge.net. 968 IN A 220.127.116.11 n6a.akamaiedge.net. 1851 IN A 18.104.22.168 n7a.akamaiedge.net. 3323 IN A 22.214.171.124
The first URL uses a homoglyph of the letter “a” of the unicode format.
If you look closely, you can see that the first “a” in paypal is actually different than the second “a”.
Please be aware when working with message and content filters to block URLs. The ESA cannot tell the difference between homoglyphs and standard alphabet characters. One way to properly detect and prevent the use of homoglyphic phishing attacks is to configure and enable OF and URL Filtering.