5

I was reading some tweets from @pwnallthethings regarding the John Podesta spear phishing emails.

What the email looked like:

enter image description here

The Change Password button link, notice the domain com-securitysettingpage.tk

enter image description here

From @pwnallthethings:

You're probably thinking "wow how come Google algorithms didn't catch this email, it's right there asking for your password?". Because the letters aren't English to trick the filters. Hackers are smart.

To be specific they are probably Homoglyph unicode characters. Below you can find quite a nice tool to create a text using homoglyphs.

https://www.irongeek.com/homoglyph-attack-generator.php

Example:

ASCII:

Ogglas

Homoglyph unicode:

Οɡɡⅼɑѕ

Does Gmail check Unicode now or is this "vulnerability" still in affect? Most of the spam emails I receive are correctly identified but some still slip through. Some using Unicode but some are still plain ASCII characters.

Find Unicode characters using Notepad++:

https://stackoverflow.com/a/20890052/3850405

Some more articles:

https://www.nytimes.com/interactive/2017/01/06/us/russian-hack-evidence.html

http://p3isys.com/p3isys-tech-blog/153-podestahack

Ogglas
  • 677
  • 4
  • 12
  • 26
  • Seems simple enough to check. – schroeder Jul 16 '18 at 17:00
  • I'm not sure this is a security question. "Does service X perform function Y?" is more of a question for the service. – schroeder Jul 16 '18 at 17:00
  • @schroeder Agreed, however I did not find a more suitable forum. I also think the topic could fall under "social engineering, including phishing" and how easy that is. – Ogglas Jul 16 '18 at 17:04
  • Perhaps the question could be rephrased into something more on-topic. Or you could always start a conversation about it [in chat](https://chat.stackexchange.com/rooms/151/the-dmz). – mbomb007 Jul 18 '18 at 21:26

1 Answers1

3

Yes, Google checks for unicode homoglyphs in email now. This is primarily done to make it easier to recognize spam, but it also works fairly well against many phishing attacks. This change was actually done in 2014. In particular, they are using an open standard from the Unicode Consortium for restricting homoglyphs. However, while this does improve security, there are a large number of potential ways to bypass it. A presentation from DEF CON 26 went over some of the possible ways to bypass such detection mechanisms and why it's so difficult to comprehensively detect such attacks from software.

forest
  • 64,616
  • 20
  • 206
  • 257