535 Connecticut Ave. Suite 104
Norwalk, CT 06854
Empire State Building
350 Fifth Avenue, 59th fl.
New York City, NY 10118

Featured Article

March 24, 2017

Font Spoofing Exploit Puts Businesses at Risk

Cybersecurity researchers are now tracking a dangerous online spoofing technique that hackers are using to spread malicious links.

The scheme, which is called an internationalized domain name (IDN) homograph attack, can be more aptly referred to as a font spoofing exploit.  

This exploit is very difficult to detect, and poses a legitimate cybersecurity risk for organizations of all sizes, and across all vertical markets. Failure to detect and eliminate font spoofing could result in a costly and damaging data breach or even a ransomware attack.

Background

Before we dive into font spoofing, it’s important to have a basic understanding of how computers process different fonts.

Computers can only process binary numbers. So all of the characters that we use to communicate with computers — meaning letters, numbers and symbols — are really just abstract figures that require correlating “codepoints,” or numerical sequences, in order to get converted into the various fonts that we see on the screen. Computers store these codepoints in embedded databases.  

In the early days of computer networking, hundreds of different encoding systems were used by computer manufacturers across the world. Each varied in terms of the volume and complexity of the characters they supported. Since these disparate encoding systems were all different from one another, it was much harder to transfer information between computer systems. Compatibility issues were common, as characters simply did not translate well.

The Unicode Consortium solved this problem in 1991, when it released the Unicode standard and created a universal, uniform and unique character database. The international Unicode standard now supports over 96,000 characters and symbols, and many different non-Latin alphabets like Cryllic, Hebrew, Greek and Chinese. Conversely, the American Standard Code for Information Interchange (ASCII) — which was an American predecessor to Unicode — could only support 128 characters.

As you can see, Unicode was a major upgrade in terms of the way it streamlined machine to machine communication. But now, it’s become a cybersecurity concern.

The Threat 

There is one major flaw to Unicode, which is that letters in different languages can appear to be almost identical to one another.

Take a look at the Latin letter “a,” for instance, and compare it with the Cryllic letter “?.” To the common eye, this may appear to be the same exact character. The former, however, has a correlating number of 0061 in Unicode while the latter is represented by the code 4030. They are two entirely different symbols.

Hackers have learned this, and now they are using the flexible Unicode alphabet to register domain names which closely mirror major websites. For example, a hacker may register a website such as “Y?hoo.com.” Again, notice the use of the Cryllic “a” here.

Oftentimes, hackers will use this strategy to steal private information like passwords or financial credentials. An end user may click a link that appears to take him or her to a normal website, when in fact they are on a third party domain.

It gets even more sophisticated, too. Once a fake domain is established, it’s very easy to set up a corresponding email account. And when coupled with an advanced social engineering strategy, this can be very dangerous.   

A team of hackers may, for instance, buy a domain that resembles a target business’s website, and infect that website with malware. Then, the hackers may investigate the business until they have a clear sense of the type of email address the company is using. Once this is complete, the hackers could send out doctored emails containing links to the spoofed website — tricking vendors and customers into making payments or surrendering personal information.   

While font spoofing may be unethical, it’s not illegal — at least not yet. So we expect to see a major uptick in this type of activity as word spreads throughout the international hacking community about its effectiveness.

Recommended actions

Font spoofing is very tricky to stop, largely because it’s being deployed “in the wild” on the Internet. In other words, hackers are using this type of attack to target unsuspecting end users.  

Here are some ways that businesses can thwart font spoofing: 

Use email filters: IT administrators can set up email filters on company-owned platforms. These filters can be used to flag unknown email addresses. Unfortunately though, not all workers use company-owned email systems. Some may be opposed to letting IT perform management functions on personal accounts.

Educate all workers: This is not a problem that IT can stop on its own. All workers must be extra vigilant for suspicious activity when using email and surfing the Internet. Users should be instructed to report suspicious emails to IT, and to avoid clicking on random links whenever possible.

Set up a CASB: Some attacks will sneak by. This is inevitable. But by using a cloud access security broker (CASB), a business can be alerted—and take action—when suspicious network activity is detected. A CASB is a doorway for network traffic.  

For instance, a hacker could use a font spoofing exploit to obtain an end user’s password. But if the business is protected with a CASB, the network will be able to detect if someone is trying to log into a private account from a suspicious location. A CASB can suspend an account if it picks up on this type of activity.

Collect and analyze network intelligence: Corporate hacks are not typically random events. Instead, think of them as sophisticated campaigns. Reconnaissance work is therefore necessary for spotting potential threats early on a campaign, so that action can be taken before a threat (like a spoofed link) can be deployed.

Perhaps the most important takeaway that we can learn from font spoofing is that cybercrime is becoming too advanced for the average organization to combat. Partnering with a managed services provider (MSP) is a cost-effective and reliable way to obtain the necessary resources and guidance for staying safe online.

A new breed of hacktrepeneurs has awoken and they have little to fear and everything to gain by infecting as many companies as possible and extorting money from them. Apex Technology Services stands ready to protect your company regardless of whether it’s located in New York CityWhite Plains, New York; Connecticut; Australia; Europe; or anywhere else. Our full suite of cybersecurity and IT support services is at your disposal, enabling you to spend less time worrying about and more time growing your business.

To ensure your security, consider one of our most popular services — Auditing & Documentationwhich pinpoints vulnerabilities in your infrastructure, process flow and internal security procedures.







Related Articles