by Lucas PenzeyMoog, Director of Strategy at Emerging Insider Communications
Copycat websites aimed at stealing your login credentials are nothing new in the crypto space (or the internet at large). These sites are usually subtle URL misspellings that could be missed at first glance, such as replacing a 1 for an l. This type of phishing is most effective when users search for exchanges on a search engine and click what seems to be a legitimate link (hint: never do this). You then enter your credentials on the fake site and within minutes your coins are gone.
Conscientious crypto users and veterans in the space know to protect themselves, but as crypto goes mainstream there are large amounts of inexperienced users falling into these traps. However, there’s a more sophisticated URL hack that can trip up even the most experienced users if they’re not careful. It’s called a homograph spoofing attack, and it’s downright evil.
Check out the image below from Reddit user u/Games_sans_frontier. Can you spot what’s out of place?
No, those aren’t specs of dust on your screen. It’s a scam website that’s trying to imitate one of the most popular exchanges in the world. The fake URL takes advantage of the fact that Unicode allows for visually similar characters that are actually from different alphabets. When looking closely at the example above you can see the dots, but some characters are literally identical. For example, the Greek, Latin, and Cyrillic lowercase “o” are identical to the naked eye, but have distinct Unicode representations of U+03BF, U+006F, and U+043E respectively.
This above site even has an SSL certificate that enables the reassuring green text that says the site you’re visiting is what it says it is. However, all it’s saying here is that you really are connecting to the fake Biṇaṇce.
Homograph spoofing is not a new phenomenon. A 2001 paper by Evgeniy Gabrilovich and Alex Gontmakher, titled ‘The Homograph Attack’ first described the issue in detail. To prove their point, they were able to register a microsoft.com domain name that used Cyrillic characters.
So how do you protect yourself? The easiest way is to manually type the URL every time you visit an exchange and then create a bookmark. Never google an exchange and click on the first link. Even more importantly, never click on links sent to you by email. If Coinbase says you need to login to review your activity, exit the email and type in the address manually and then review your activity. These links could also make you secretly download malware as well as directing you to a spoof website.
You can also adjust your browser settings to turn off support for IDN (internationalized domain names), but most browsers usually display IDNs in Punycode (a way of representing Unicode characters using only the limited character subset of ASCII supported by the Domain Name System). Chrome extensions like Punycode Alert can alert you when a site is displaying a URL that contains Punycode characters so you can act accordingly.
The first step in stopping scammers is to expose their strategies. Always be vigilant when logging into exchanges and wallets, and approach every website and email with skepticism. The blockchain itself may be incredibly secure, but accessing the blockchain can be anything but.