Can you see why this WhatsApp message can’t be trusted?

Homographic attack on WhatsApp users.

Graham Cluley
@gcluley

Take a look at the above message that WhatsApp users have reported being sent to them via the messaging app. It claims that there is a free £250 voucher up for grabs which you can use to buy your groceries at an ASDA supermarket. Other versions claim that similar vouchers are available for Tesco and Marks & Spencer.

But can you see why you should be wary of clicking?

Well, not only does it sound too good to be true, but take a closer look at that URL the message says you should click on.

Sign up to our newsletter
Security news, advice, and tips.

Do you see the little mark above the “d” in “Asda”? It’s not a speck of dirt on your smartphone’s screen.

The “d” in the URL is in fact a “đ” (also known as a crossed d, or a d-stroke.)

That’s easy enough to tell when you see the image blown up on your desktop computer screen, but it’s a lot harder to spot when it appears in a WhatsApp message on your smartphone.

The character đ (Unicode U+0111) may not be used in English, but it is used in several other languages – and it turns out that technology’s ability to support a wide variety of languages comes at a cost.

What you’re seeing here is called a homograph attack, which exploits the fact that many different characters look alike. It’s a technique that has made it trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links.

Phishers, for instance, love to use the trick to dupe you into thinking you are entering your credentials into your bank’s legitimate website

The latest spate of messages seen being spread on WhatsApp, as reported by The Mirror and Action Fraud, are not unique attacks, but are worth bearing in mind, when you receive suspicious messages via WhatsApp, SMS, Facebook Messenger, and so on.

Take care out there.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

10 comments on “Can you see why this WhatsApp message can’t be trusted?”

  1. Thanks for pointing this out. You could also mention that it is very important for people to recognise the writing style of the people that sent the message. It should be clear to many people and easier to spot a stupid spelling mistake like "thanks me later"

  2. It's time for ICANN to make a change in the way new domain names are accepted. It's no longer enough to check for an exact duplicate when registering a new domain. The definition of uniqueness for domain names ought to be extended to also exclude domain names that can be used in typo-squatting or homograph attacks. After all, It's hard to imagine any legitimate usage for such domain names.

  3. I've seen this before. There are apparently many characters that are so close to out chracter set that one can easily be tricked if one is not vigilant about the links one is going to click.
    If I find something suspicious I usually Copy and paste it into Notepad. Then I can inspect or Windows will give a message saying there are invalid characters.

  4. Can't always ditch them based on appalling grammar and weird non-native sentence structure, I've seen plenty of corporate emails that would be thrown out on that basis!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.