I heard this story from a local startup as well - an investor ended up losing ~$100k because the investor's email account was compromised and a lookalike domain was used to impersonate the startup.
I've been calling people out-of-band for verification using phone numbers from past communications, even if I'm working on transactions that don't seem out of the ordinary. Not that SIM card fraud doesn't happen, but at least that adds another layer of security.
Isn’t it time to see more widespread use of encryption in emails? What I’m pertaining to is signing emails to make sure they are coming from correct source.
Encryption doesn’t help Unicode homoglyph attacks. I can send you encrypted messages all day long from google.com, even though they’re not coming from who you think they are.
You wouldn't be able to sign the fake message with the fake domain unless you compromised the sender's PGP private key, which was not the vector of this attack.
As bayarrhea points out, a signature doesn't help you if the attack model is "lookalike domain".
Email validation exists; gmail will let you know if email arrived over TLS or not. Validation that the source of an email matches the "From:" header is generally done by checking the domain's SPF record.
I'm thinking it might have quite likely been people from inside both the VC firm and the startup to be funded, collaborating to phish the money away from their companies...
Considering that both the countries (Israel, China) are and have been involved in very unsavory stuff, I wouldn’t say that it’s an unreasonable conclusion. Less than 50% likely, probably. But definitely not out of the question.
I'm not aware of any Chinese websites that don't just use Pinyin for their domain name. Some random person is squatting on http://xn--wxtr44c.xn--fiqs8s/ (百度.中国), but Baidu doesn't seem to care. They use http://www.baidu.com/ as their primary address.
> I'm not aware of any Chinese websites that don't just use Pinyin for their domain name.
There are tons. One prominent email provider is a three-digit number. There's a job board at 51job.com.
(What's 51job? Read in Mandarin, that would be "wǔ yāo job" [five one "job" (the English word)]. This is felt to sound similar to "wǒ yào job" 我要job [I want a job].)
一 yi (tone varies based on phonological context) is the ordinary word for 1.
幺 yāo is a common word for 1 when vocalizing a stream of digits. (Such as a phone number / credit card number / account number / etc.) I am told that this originated as a way to easily distinguish 1 from 7 (七 qī) when communicating over a low-quality connection. In the presence of static, yi and qi could sound similar.
I should've written "... that don't just use ASCII characters instead of Hanzi." Of course domains using numbers or English words aren't Pinyin, but the point is that they don't require Punycode to represent.
The other day I was browsing a list of all my country's domains and noticed a bunch starting with xn-- and you just made me understand what these are.
None of them seem worth phishing for. In some cases when you google the site name, google will show results from sitename.tld and when you visit the site with the show_punycode true, it will actually load pages from the xn-- equivalent. So it looks like the "original" domain isn't even indexed or online at all.
In another case both the xn-- and "normal" domain sit side by side on the same server. I guess there's no harm in posting these:
cadzandie.be and xn--cadzandi-01a.be. Note there's no ë in the first domain
Another strange one is
xn--rembours-i1a.be
When you type in remboursé.be it actually redirects (?) to the xn-- equivalent.
I'm fascinated but having a hard time seeing sense in this.
Encryption only verifies it hasn't been changed or viewed by a third party, the original email contained the problem so you would just store an encrypted string that would decrypt with the attack in it
36 comments
[ 2.6 ms ] story [ 76.8 ms ] threadI've been calling people out-of-band for verification using phone numbers from past communications, even if I'm working on transactions that don't seem out of the ordinary. Not that SIM card fraud doesn't happen, but at least that adds another layer of security.
in /etc/dnsmasq.conf add something like:
(in case your dnsmasq doesn't support this then there is a patch here: https://github.com/spacedingo/dnsmasq-regexp_2.76)If you are using CAs then homoglyph attacks are the simplest of many attacks based on a system of minimal technical compliance.
Email validation exists; gmail will let you know if email arrived over TLS or not. Validation that the source of an email matches the "From:" header is generally done by checking the domain's SPF record.
https://en.wikipedia.org/wiki/Sender_Policy_Framework
https://en.wikipedia.org/wiki/Email_spoofing#Countermeasures
Pretty safe if people actually follow procedures
Test with the fake Apple domain https://www.xn--80ak6aa92e.com/ .
See "Phishing with Unicode Domains" for more information: https://www.xudongz.com/blog/2017/idn-phishing/ .
Also I'm not sure what effect that will have for Chinese users. It might make many of their URLs look strange to them.
See: https://www.reddit.com/r/firefox/comments/7ul9p3/why_is_netw...
There are tons. One prominent email provider is a three-digit number. There's a job board at 51job.com.
(What's 51job? Read in Mandarin, that would be "wǔ yāo job" [five one "job" (the English word)]. This is felt to sound similar to "wǒ yào job" 我要job [I want a job].)
幺 yāo is a common word for 1 when vocalizing a stream of digits. (Such as a phone number / credit card number / account number / etc.) I am told that this originated as a way to easily distinguish 1 from 7 (七 qī) when communicating over a low-quality connection. In the presence of static, yi and qi could sound similar.
CC-CEDICT has a good gloss ( https://www.mdbg.net/chinese/dictionary?page=worddict&wdrst=... ):
> one (unambiguous spoken form when spelling out numbers, esp. on telephone or in military)
None of them seem worth phishing for. In some cases when you google the site name, google will show results from sitename.tld and when you visit the site with the show_punycode true, it will actually load pages from the xn-- equivalent. So it looks like the "original" domain isn't even indexed or online at all.
In another case both the xn-- and "normal" domain sit side by side on the same server. I guess there's no harm in posting these:
cadzandie.be and xn--cadzandi-01a.be. Note there's no ë in the first domain
Another strange one is
xn--rembours-i1a.be
When you type in remboursé.be it actually redirects (?) to the xn-- equivalent.
I'm fascinated but having a hard time seeing sense in this.
Real people have been owned by this idiotic response from mozilla.
I’ve used Firefox since it was actually called “Mozilla”.
I’ve never been more upset at a decision of theirs than now.
How about digital signatures and end-to-end email encryption.
I wonder if anyone is doing this regularly. I didn't hear much about it after the initial fanfare.