PDF(4.3 KB) View with Adobe Reader on a variety of devices
ePub(71.3 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(64.9 KB) View on Kindle device or Kindle app on multiple devices
Updated:September 11, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the use of homoglyph characters in advanced phishing attacks and how to be aware of these when using message and content filters on the Cisco Email Security Appliance (ESA).
Homoglyph Advanced Phishing Attacks
In advanced phishing attacks today, phishing emails may contain homogyph characters. A homoglyph is a text character with shapes that are near identical or similar to each other. There may be URLs embedded in phising emails that will not be blocked by message or content filters configured on the ESA.
An example scenario may be as follows: Customer wants to block an email that had contains the URL of www.pɑypal.com. In order to do so, an inbound content filter is written that will looking for the URL containing www.paypal.com. The action of this content filter would be configured to drop and notify.
Customer received example of an email containing: www.pɑypal.com
Content filter as configured contains: www.paypal.com
If you take a look at the actual URL via DNS you will notice they resolve differently:
;; ANSWER SECTION: www.paypal.com. 279 IN CNAME www.paypal.com.akadns.net. www.paypal.com.akadns.net. 9 IN CNAME ppdirect.paypal.com.akadns.net. ppdirect.paypal.com.akadns.net. 279 IN CNAME wlb.paypal.com.akadns.net. wlb.paypal.com.akadns.net. 9 IN CNAME www.paypal.com.edgekey.net. www.paypal.com.edgekey.net. 330 IN CNAME e6166.a.akamaiedge.net. e6166.a.akamaiedge.net. 20 IN A 188.8.131.52
;; AUTHORITY SECTION: a.akamaiedge.net. 878 IN NS n5a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n7a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n2a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n0a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n1a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n4a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n6a.akamaiedge.net. a.akamaiedge.net. 878 IN NS n3a.akamaiedge.net.
;; ADDITIONAL SECTION: n0a.akamaiedge.net. 383 IN A 184.108.40.206 n1a.akamaiedge.net. 3142 IN A 220.127.116.11 n2a.akamaiedge.net. 6697 IN A 18.104.22.168 n3a.akamaiedge.net. 31 IN A 22.214.171.124 n4a.akamaiedge.net. 168 IN A 126.96.36.199 n5a.akamaiedge.net. 968 IN A 188.8.131.52 n6a.akamaiedge.net. 1851 IN A 184.108.40.206 n7a.akamaiedge.net. 3323 IN A 220.127.116.11
The first URL uses a homoglyph of the letter “a” of the unicode format.
If you look closely, you can see that the first “a” in paypal is actually different than the second “a”.
Please be aware when working with message and content filters to block URLs. The ESA cannot tell the difference between homoglyphs and standard alphabet characters. One way to properly detect and prevent the use of homoglyphic phishing attacks is to configure and enable OF and URL Filtering.