Visual Phishing with WhatsApp
November 2nd, 2017
I recently received the following LinkedIn message from an Abu Dhabi Police engineer asking about the details of spoofing the IKEA domain. Such visual spoofing (homograph attack) can not only appear in Whats App, instead in almost any modern messenger application. Sometimes this is referred as “WhatsApp scam”. A good reason to write about the topic.
Motivation by the Attacker
One short notice about the visual spoofing (homograph, or Whats App scam) attack. The idea is simple; human beings shall click on the IKEA link. Visually, it looks as trustworthy IKEA voucher code URL. But this it’s not, it is a fake. Instead, under the hood the link is redirecting the user to a phishing or other malware site. This increasingly appears in mobile messenger applications.
Understanding Visual Spoofing
The attack is not new! Earlier in 2017, a visual spoofing attack was performed in the context of Apple Inc. and Xudong Zheng wrote a very nice write-up.
Homoglyph Attack Generator
If you want to play around with such fake URLs, please use the following irongeek URL (make sure it is not a fake 8-). It will create the visual spoofing string using special Unicode characters, also referred as Punny Codes.
http://www.irongeek.com/homoglyph-attack-generator.php
Decoding Visual Spoofing Strings
For the command liners, you can use the following python command to decode the fake string (In the example below, I am decoding the visually spoofed apple.com string that has been used in the past)
python -c 'print "https://www.аррӏе.com/".decode("utf-8").encode("idna")'
Other good References for this topic
Thank you for Reading
Ivan Bütler
CEO Compass Security
ivan.buetler@compass-security.com