Recently a government official in Ukraine forwarded me this message he received over WhatsApp:
The official recognized the message as phishing (mispellings such as “Airine” & “ticets” were immediate giveaways) but he was concerned both because he had previously been targeted by the Russian government-aligned hacking group known as Fancy Bear and because the date the message was sent — Feb. 23, 2018 — corresponded not to the 100th anniversary of the Dutch airline KLM but to the 100th anniversary of the Soviet Red Army. The coincidence was enough to get me interested — especially since I had received a very similar phishing message from a French-speaking journalist two weeks before:
The messages appeared linked, not just in terms of their timing and their content — an offer of free airline tickets over WhatsApp — but also in terms of how the hacker crafted the malicious links. Look carefully and you can see that there’s a tiny irregularity beneath the letter “m” in the KLM hyperlink and a similar irregularity beneath the “a” in Air France.
That’s because the websites don’t point to https://www.klm.com or https://www.airfrance.com but to hxxp://www.klṃ[.]com/ (with an “ṃ” in place of the “m”) and to hxxp://www.airfrạnce[.]com ( with an “ạ” in place of the “a”) respectively. (I have sanitized suspect domains throughout.)
The trick here comes courtesy of the internationalized domain system, or IDS, which allows website owners to sprinkle their site names with non-English (or, more precisely, non-ASCII) characters. IDS was conceived as a way to allow non-English speaking web users to create URLs in their native languages, so for example website.ru could be rendered in Russian as Веб-сайт.рф and website.cn might be rendered in Chinese as 网站.中国. But loosening the English language’s grip on the web also meant opening the door for clever fraudsters who could sprinkle domain names with lookalike non-English characters, also called homoglyphs. For example, can you tell the difference between raphaelsatter.com and rарhаеlsаttеr.com? The first is in English characters, the second is a mix of English consonants and Russian vowels, with the English p swapped out for the Russian р. Copy and paste both addresses into your browser’s address bar. You’ll see that the first one looks normal — but that the second one is displayed as “xn — rhlsttr-2fgbc6cf8k.com.” That garble is called “punycode” — effectively an ASCII translation of non-English domains — and web browsers display it prominently so that users aren’t easily tricked into clicking lookalike sites.
Sadly, that failsafe doesn’t exist in WhatsApp, which doesn’t display the punycode even when you press and hold down on the link.
Using internet intelligence firm DomainTools shows that the klm.com lookalike site is actually “xn — kl-exs[.]com” in punycode and that it was set up Feb. 18. The airfrance.com lookalike is in fact “ xn — airfrnce-rx0d[.]com” in punycode and was set up Feb. 12. Although the bogus KLM site was registered through a privacy protection service, the Air France site was registered to a Microsoft webmail address, realboy2008[@]live.com. A reverse lookup using DomainTools search shows that realboy2008 registered a half-dozen other lookalike sites within a two-week period, either airline-, shoe- or film-themed.
hxxp://www.adidạs[.]com hxxp://www.brusselsạirlines[.]com hxxp://www.cinewọrld[.]com hxxp://www.ethihạd[.]com hxxp://www.ṇikẹ[.]com hxxp://www.turkishạirlines[.]com
A Google search threw up a seventh site not listed by DomainTools:
The above-mentioned sites no longer resolve so it isn’t clear what their exact purpose was, although the French journalist told me the Air France lookalike link took her to a fake Air France site. Recent reporting suggests British users have received messages pointing them to hxxp://viṛginatlantic[.]com, which was described as a “malware website.”
So who’s behind this? Registry data for all 10 above-mentioned sites point back either to privacy protection services or a certain Muhammad Irfan, listed at an address in Karachi, Pakistan, or a certain Kamran Khan, listed at a second Karachi address. That registry data may well be fake. An Urdu or Hindi-speaker who answered the phone number listed for the sites, Munwar, said through a translator that he had no connection to the realboy2008 email and didn’t live in Karachi.
An email seeking comment from realboy2008 wasn’t returned, but they may be linked to a now-dormant Twitter account, sexyguy4c2csex which posted the email address to Twitter eight years ago (“c2c” is sometimes used as a reference for webcam sex.) sexyguy4c2csex did not return a Twitter message.
The nature of the phishing messages — as well as the hacker’s lackadaisical attempt to cover their tracks —seems to suggest a financially motivated actor rather than espionage. Given the potential link to Pakistan, I attempted to report the account & the suspect websites to Pakistan’s National Response Centre for Cyber Crimes, but the agency solicits information over an unsecured connection & bars submissions that aren’t accompanied by a Pakistani Computerized National Identity Card (CNIC) number.
Facebook — WhatsApp’s owner — said that it was aware of hackers’ use of homoglyphs and that “we have automated systems in place to detect and prevent abusive/malicious domains/URLs.” But those systems didn’t flag the domains in this case, so watch out for those dots.