If you clicked on a link to IIoydsbank.co.uk you would expect to reach lloydsbank.co.uk, right?
This is actually a technique that has been used in phishing attacks for donkey’s years. It’s called an IDN homograph attack.
In this case, the site is taking advantage of the fact that in uppercase the letter “i” looks like a lowercase “L”.
It’s easier to see what has happened if you view the URL in a different font.
lloydsbank.co.uk is the legitimate banking site.
IIoydsbank.co.uk is not.
Security consultant Paul Moore this weekend highlighted the issue, by registered the domain IIoydsbank.co.uk and asking people to spot the difference on Twitter:
Can you spot the difference?http://t.co/KpMyCrFXJhhttp://t.co/tD5nq7SG3W#phishing #scam #caseSensitive #security pic.twitter.com/oLfHus7hM7
— Paul Moore 🇬🇧 (@Paul_Reviews) June 27, 2015
That’s clearly cunning enough to outfox many computer users.
But then Paul went one step further, buying a TLS certificate for his IIoydsbank website, so it could display a green padlock to reassure visitors who visited its HTTPS address that their communications were being encrypted.
In fact, boasted Paul, the site was soon receiving a higher score in the Qualys SSL test than the real banking site!
On some device/browser combinations the problem is compounded, showing the URL in its case-sensitive form – rather than lowercasing it to a more obvious “iioydsbank”.
So, what we have here is a bogus domain, which could easily fool many users into believing it was the genuine banking website, complete with a high level of HTTPS crypto.
Fortunately Paul is a good guy, so he’s only interested in raising awareness. He contacted the real Lloyds Bank, and transferred the ownership of the domain to them.
Cloudflare, who had happily supplied an SSL certificate for the site, revoked it yesterday and were (incorrectly) marking the site as being suspected of phishing.
If only they had shown an abundance of caution when asked to sell a certificate for a site with “bank” in its name a day or so before.
You may not have to worry about IIoydsbank any longer, but don’t forget there are plenty of other opportunities for attackers to outfox you with homograph attacks.
It’s not just uppercase I and lowercase L. For instance, zeroes look like the letter O, and there are a number of Cyrillic characters that look remarkably similar to letters in the basic Latin alphabet, and those similarities can be exploited via Unicode support.
Maybe the best advice of all is to never click on links to financial websites if you receive them in an email or see them on a website.
A long, long time ago, when the world was new and AOL 3.0 was considered to be really cool, the letter l (lower case L) and the letter I (upper case i) was actually identical (or at least, I couldn't see any difference at all, and there was only one font, the AOL font). And I had lots of fun logging into chatrooms with two screen names that appeared to be identical, and then having a big fight with myself over which of the two were the genuine article which the other people in the chat room wondered what the hell was going on.
Simple yet highly effective. As someone mentioned in the twitter feed after he posted that picture, you'd think that Lloyds (and indeed other banks) would actively buy up domains like this. Hopefully this will be a wake up call.
I always switch the default UI font on my devices to a serif font for precisely this reason.
Decades ago in a support role that involved issuing password slips to new students that contained their username and initial randomly generated password we had a sudden epiphany. We removed the "i" "l" "1" "0" and "o" from the set of characters in the initial passwords and watched the number of jobs for "unable to login with initial password" plummet. It's not a new problem!
Although the latter part of this article actually does cover "IDN homograph" issues, Moore's trivial example is not such a thing. It is just the plain, old, well-known "(depending on the typeface) easily confused English character glyph" issue. The IDN homograph issue is that glyphs (or combinations of them) in one character set can look just like glyphs in another. There are guidelines/restrictions on what combinations of such character sets can be mixed when registering domain names, so good luck on getting, say, lloydsbank.co.uk registered where the apparent "o" (not as written just back there) is actually a character from some other character set that looks suitably like a Latin lowercase-o. Of course, whether all registries follow/enforce such guidelines is a good question that I'm not sure anyone is tracking especially closely…
Ohhh, and what browsers do not lowercase the domain name part of a URL in the address bar, which would (and in all desktop browsers I tested does) make this very obvious?