Microsoft’s Digital Crimes Unit secured a court order last week to take down malicious infrastructure used by cybercriminals, targeting the use of “homoglyph” – or imposter – domains. Homoglyph domains are increasingly being used in a variety of attacks by cybercriminals. As a result, a judge in the Eastern District of Virginia issued a court order on 16 July requiring domain registrars to disable the malicious domains that have been used to impersonate Microsoft customers and commit fraud.
These malicious homoglyphs exploit similarities of alpha-numeric characters to create deceptive domains to unlawfully impersonate legitimate organisations. For example, a homoglyph domain may utilise characters with shapes that appear identical or very similar to the characters of a legitimate domain, such as the capital letter “O” and the number “0” (e.g. MICROSOFT.COM vs. MICR0S0FT.COM) or an uppercase “I” and a lowercase “l” (e.g. MICROSOFT.COM vs. MlCROSOFT.COM). In a post by Microsoft’s Amy Hogan-Burney, General Manager, Digital Crimes Unit at Microsoft, she notes they continue to see this technique used in business email compromise (BEC), nation state activity, malware and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks.
This case started with a single customer complaint regarding BEC, and Microsoft’s investigation revealed this criminal group had created 17 additional malicious homoglyph domains that were registered with third parties. The targets are predominantly small businesses operating in North America across several industries. Based on the techniques deployed, the criminals appear to be financially motivated, and Microsoft believes they are part of an extensive network that appears to be based out of West Africa.
In this BEC attack, these fraudulent domains, together with stolen customer credentials, were used by cybercriminals to unlawfully access and monitor accounts. The group proceeded to gather intelligence to impersonate these customers in an attempt to trick victims into transferring funds to the cybercriminals. Once the criminals gained access to a network, they imitated customer employees and targeted their trusted networks, vendors, contractors and agents in an effort to deceive them into sending or approving fraudulent financial payments.
In this instance, the criminals identified a legitimate email communication from the compromised account of an Office 365 customer referencing payment issues and asking for advice on processing payments. The criminals capitalised on this information and sent an impersonation email from a homoglyph domain using the same sender name and nearly identical domain. The only difference between the genuine communication and the imposter communication was a single letter changed in the mail exchange domain, done to escape notice of the recipient and deceive them into believing the email was a legitimate communication from a known trusted source. As seen in the example Hogan-Burney provided in her post, see below, these criminals used the same subject line and format of an email from the earlier, legitimate conversation, but falsely claimed a hold had been placed on the account by the CFO, time was running out and payment needed to be received as soon as possible.
Often, once detected or addressed by Microsoft through technical means, these criminals move their malicious infrastructure outside the Microsoft ecosystem and onto third-party services in an attempt to continue their illegal activities. With this case, Microsoft secured an order which eliminates the defendants’ ability to move these domains to other providers. The action will further allow us to diminish the criminals’ capabilities and, more importantly, obtain additional evidence to undertake further disruptions inside and outside court. This disruption effort follows 23 previous legal actions against malware and nation-state groups that Microsoft has taken in collaboration with law enforcement and other partners since 2010.