If you clicked on a link to IIoydsbank.co.uk you would expect to reach lloydsbank.co.uk, right?
This is actually a technique that has been used in phishing attacks for donkey’s years. It’s called an IDN homograph attack.
In this case, the site is taking advantage of the fact that in uppercase the letter “i” looks like a lowercase “L”.
It’s easier to see what has happened if you view the URL in a different font.
lloydsbank.co.uk is the legitimate banking site.
IIoydsbank.co.uk is not.
Security consultant Paul Moore this weekend highlighted the issue, by registered the domain IIoydsbank.co.uk and asking people to spot the difference on Twitter:
— Paul Moore 🇬🇧 (@Paul_Reviews) June 27, 2015
That’s clearly cunning enough to outfox many computer users.
But then Paul went one step further, buying a TLS certificate for his IIoydsbank website, so it could display a green padlock to reassure visitors who visited its HTTPS address that their communications were being encrypted.
On some device/browser combinations the problem is compounded, showing the URL in its case-sensitive form – rather than lowercasing it to a more obvious “iioydsbank”.
So, what we have here is a bogus domain, which could easily fool many users into believing it was the genuine banking website, complete with a high level of HTTPS crypto.
Fortunately Paul is a good guy, so he’s only interested in raising awareness. He contacted the real Lloyds Bank, and transferred the ownership of the domain to them.
Cloudflare, who had happily supplied an SSL certificate for the site, revoked it yesterday and were (incorrectly) marking the site as being suspected of phishing.
If only they had shown an abundance of caution when asked to sell a certificate for a site with “bank” in its name a day or so before.
You may not have to worry about IIoydsbank any longer, but don’t forget there are plenty of other opportunities for attackers to outfox you with homograph attacks.
It’s not just uppercase I and lowercase L. For instance, zeroes look like the letter O, and there are a number of Cyrillic characters that look remarkably similar to letters in the basic Latin alphabet, and those similarities can be exploited via Unicode support.
Maybe the best advice of all is to never click on links to financial websites if you receive them in an email or see them on a website.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.