Key Takeaways
- A sophisticated phishing campaign is targeting Marriott International and Microsoft customers using a "homoglyph" attack.
- The attack exploits the visual similarity between the letters "r" and "n" and the letter "m" in many fonts.
- Hackers are registering domains that replace the letter "m" with the combination "rn" to create fake websites that look nearly identical to the real ones.
- Users can stay safe by expanding the sender address, hovering before clicking on links, manually entering website addresses, and using password managers.
Introduction to Homoglyph Attacks
A sophisticated "homoglyph" phishing campaign has been identified, targeting customers of Marriott International and Microsoft. This type of attack exploits the way modern fonts display text, specifically the visual similarity between the letters "r" and "n" and the letter "m". In many fonts, the combination of "r" and "n" (rn) is placed next to each other and looks visually indistinguishable from the letter "m". This technique, known as typosquatting or a homoglyph attack, is used by hackers to bypass the brain’s ability to spot errors, making it difficult for users to distinguish between the real and fake websites.
Recent Campaigns Identified
Security firm Netcraft recently identified a cluster of malicious domains attempting to impersonate Marriott International. These domains are likely used to steal loyalty account credentials or personal guest data. The primary domain identified is rnarriottinternational.com, and attackers have also registered variations like rnarriotthotels.com to target specific hotel brands. Additionally, Harley Sugarman, CEO of the security firm Anagram, highlighted a similar campaign targeting Microsoft users, using the domain rnicrosoft.com to send fake security alerts or invoice notifications. These emails mimic the official Microsoft logo, tone, and layout, making it even more challenging for users to identify the phishing attempt.
The Danger of Homoglyph Attacks
The attack is particularly dangerous on mobile devices, where small screens make the "rn" vs. "m" difference almost impossible to see. This makes it crucial for users to be vigilant and take extra precautions when interacting with emails and websites on their mobile devices. The phishing emails and websites are designed to look legitimate, making it easy for users to fall victim to the attack. The consequences of a successful attack can be severe, including the theft of sensitive information, financial loss, and damage to one’s reputation.
Indicators of Compromise (IOCs)
Several domains have been flagged as malicious, and security teams should block these immediately. Users should also be wary of any links directing to these domains. The following domains have been identified as malicious: rnarriottinternational.com, rnarriotthotels.com, rnicrosoft.com, micros0ft.com, and microsoft-support.com. These domains use various typosquatting techniques, including replacing the letter "m" with "rn", replacing the letter "o" with "0", and using hyphenation or suffixes to create fake websites that look similar to the real ones.
Staying Safe from Homoglyph Attacks
To stay safe from these types of attacks, users can take several precautions. First, when using mobile email apps, it’s essential to tap the sender’s name to reveal the full email address and look closely for the "rn" trick. On a computer, hovering the mouse cursor over links without clicking can help users see the actual destination URL. Additionally, if a user receives an urgent email about a hotel booking or account reset, they should not click the link. Instead, they should open a browser and type the website address manually. Using a password manager can also help, as it will not auto-fill credentials on a fake site like rnicrosoft.com because it recognizes that the domain is different from the real one.
Conclusion and Recommendations
In conclusion, the homoglyph attack is a sophisticated phishing technique that exploits the visual similarity between the letters "r" and "n" and the letter "m". Users must be vigilant and take extra precautions to stay safe from these types of attacks. By expanding the sender address, hovering before clicking on links, manually entering website addresses, and using password managers, users can reduce the risk of falling victim to these attacks. It’s also essential for organizations to educate their employees and customers about the dangers of homoglyph attacks and provide them with the necessary tools and resources to stay safe online. By working together, we can prevent these types of attacks and protect sensitive information from falling into the wrong hands.
