Here’s How ‘google.news’ Becomes ‘ɢoogle.news’ to Phish Users
- In this type of attack, the original characters in the domain name are replaced with ASCII letters which go unnoticed by humans.
- The attack isn’t limited to Google but can also affect other top brands.
A security researcher recently discovered a clever phishing campaign that impersonates Google News by using homographic characters. IDN Homograph attack is one of the most foolproof ways to redirect unsuspecting users to phishing pages. In this type of attack, the original characters are replaced with ASCII letters which go unnoticed by humans.
‘Google.news’ used for phishing
To demonstrate the attack, researcher Avi Lumelsky explained using a popular brand name ‘Google News’. He noted that the URL uses a homographic character as its first character: ‘ɢoogle.news’ to Phish Users’. This looks similar to the original URL i.e ‘google.news’.
Lumelsky further explained that a few years ago in 2016, someone had bought the impersonated site ‘Google.com’ to use it for phishing purposes.
This is not the only case. Upon further investigation, the researcher found that there were several fake URLs that impersonated other original Google domains. Some of the examples includes ‘ɢoogle.company’’; ɢoogle.email’; ‘ɢoogle.tv’; ‘ɢoogle.life’ and even ‘ɢoogletranslate.com’.
Apart from Google, several fake domains were also registered through the domain registrars like GoDaddy and Namecheap.
Homograph attacks are the best weapon to steal login credentials and tokens from users. Furthermore, an attacker could also inject a malicious script into the hijacked HTTP body and execute it on a client browser connecting the fake website.
The attack isn’t limited to Google but can also affect other top brands. Lumelsky highlights that “Until there is a solution out there, every big company or service will have to secure their domains and assets, by spending lots of money on similar domain names.”