Do not use these sites
NurPhoto via Getty Images
Updated on January 28th with a new credential theft warning.
If you find yourself on one of these malicious sites and don’t detect the threat quickly enough, you risk losing accounts, credentials, and data. This is worse when it comes to Chrome or Safari on your phone, where detecting threats is more difficult.
This is the case with a new warning reported by Cyber Security News: “Hackers use ‘rn’ typo to impersonate Microsoft and Marriott in new phishing attack.” This tactic of using an ‘r’ and an ‘n’ to replace an “m” in a URL on a small screen “creates fake websites that look almost identical to the real thing.”
Homoglyph attackswhere “attackers exploit visually similar characters to deceive users or systems, (used) in phishing, domain spoofing, and software supply chain attacks—often with high success rates. They are dangerous because the fake often looks exactly like the real thing.”
Cyber Security News says two recent attacks leveraging the “r+n” technique have targeted Microsoft and Marriott. Of the two, Microsoft’s attack is clearly more dangerous. Stealing these credentials or hacking these accounts is priceless.
“Security firm Anagram highlighted a similar campaign targeting Microsoft users. Phishing emails in this campaign use the rnicrosoft.com domain to send fake security alerts or invoice alerts.”
While you can hover to check URLs before clicking, most users don’t. Instead, use your app or regular website.
You should also make sure that passwords and two-factor authentication are enabled on all key accounts, which definitely includes Microsoft.
Given this new warning, you should also be wary of URLs with domains that start with or include the letter “m”. It’s worth being careful given how hard this ‘r+n’ is to spot.
Meanwhile, a new update from 1Password makes it clear that fake websites designed to steal user credentials can be stopped without those users having to check all the URLs by searching for “r+n” or similar tricks on small-screen devices.
New domains identified
Cyber Security News
As Bleeping calculator explains, “digital vault and password manager 1Password has added built-in protection against phishing URLs to help users identify malicious pages and prevent them from sharing account credentials with threat actors.”
So how does this work? “1Password will not fill in a user’s login data when they visit a website with a URL that does not match the one stored in their vault.”
Per Gak“the update adds visible pop-up notifications when users visit URLs that appear dangerous, including domains that look very similar to legitimate websites but may be controlled by attackers.” Just like we see here with the Microsoft and Marriott attacks.
This is “rolling now” and should just work with any settings changes. It’s good that 1Password is making the change, but this should become standard all password managers, checking URLs before auto-filling credentials on popular sites;
The scale of the phishing threat has been highlighted by a new report warning that “several large organizations appear to have been targeted in a recent cybercrime campaign”. However, this goes beyond simple login pages.
In the last 30 days” Safety week said, identified target sectors “that threat actors are preparing or conducting attacks against at least 100 organizations in sectors such as software and technology, financial services, real estate, energy and utilities, healthcare, logistics and transportation, manufacturing, retail and insurance.”
Silent Push lists the targeted organizations on its website — check yours here. This goes many levels beyond fake letter scam domains. “The main infrastructure used,” reports Silent Push, “is a new ‘Live Phishing Panel.’ This allows a human attacker to sit in the middle of a session, intercepting MFA credentials and tokens in real-time to gain immediate, persistent access to corporate dashboards.”
Even so, there are still fake domains at the heart of this attack. And the positive news is that this gives defenders a good place to start. The simple warning that if you see a bogus domain, you are being hacked is the same.
But it also shows what you’re up against, especially when it comes to initial entry points into corporate systems that begin with targeting employee credentials. You’d be surprised how often this is done with the simplest style of attacks, before cybercriminals have to resort to stealing session tokens. You’d also be surprised how many users — at home and at work — haven’t yet added multi-factor authentication and passwords to accounts.
