PayPal Phishing – Homographic Email Body [source: pwncode]

There’s an ongoing PayPal Phishing Campaign in the wild which sends HTML attachments that spoof PayPal Forms and request users for sensitive information. This campaign was particularly interesting because the email body was encoded with Unicode characters which look similar to corresponding ASCII Characters.

Homographic attacks are usually performed to craft URLs which look like legitimate URLs by substituting some of the ASCII characters with their look alike Unicode characters.

However, in this particular campaign, the entire email body has been crafted using this technique.

Why apply Homographic Technique to Email Body?

Several Security Analysts as well as Security Vendors write static signatures which are crafted to detect patterns in the email body. The Homographic technique allows these static signatures to be easily bypassed because the attackers can mix ASCII as well Unicode characters to generate different patterns.

As an example, in the email shown in Figure 1 we can see that the email body looks like it’s written in English Language. But if you pay close attention, you will observe that some of the English letters have been substituted with look like Cyrillic characters.

For more, click here.