Can you see why this WhatsApp message can’t be trusted?

Homographic attack on WhatsApp users.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Can you see why this URL can't be trusted?

Take a look at the above message that WhatsApp users have reported being sent to them via the messaging app. It claims that there is a free £250 voucher up for grabs which you can use to buy your groceries at an ASDA supermarket. Other versions claim that similar vouchers are available for Tesco and Marks & Spencer.

But can you see why you should be wary of clicking?

Well, not only does it sound too good to be true, but take a closer look at that URL the message says you should click on.

Sign up to our free newsletter.
Security news, advice, and tips.

Fake asda

Do you see the little mark above the “d” in “Asda”? It’s not a speck of dirt on your smartphone’s screen.

The “d” in the URL is in fact a “đ” (also known as a crossed d, or a d-stroke.)

That’s easy enough to tell when you see the image blown up on your desktop computer screen, but it’s a lot harder to spot when it appears in a WhatsApp message on your smartphone.

The character đ (Unicode U+0111) may not be used in English, but it is used in several other languages – and it turns out that technology’s ability to support a wide variety of languages comes at a cost.

What you’re seeing here is called a homograph attack, which exploits the fact that many different characters look alike. It’s a technique that has made it trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links.

Phishers, for instance, love to use the trick to dupe you into thinking you are entering your credentials into your bank’s legitimate website

The latest spate of messages seen being spread on WhatsApp, as reported by The Mirror and Action Fraud, are not unique attacks, but are worth bearing in mind, when you receive suspicious messages via WhatsApp, SMS, Facebook Messenger, and so on.

Take care out there.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “Can you see why this WhatsApp message can’t be trusted?”

  1. Andrew

    Thanks for pointing this out. You could also mention that it is very important for people to recognise the writing style of the people that sent the message. It should be clear to many people and easier to spot a stupid spelling mistake like "thanks me later"

  2. furriephillips

    Also, LOL @ d-stroke ;)

  3. Mark Jacobs

    Why on earth would Asda be celebrating "68 years" of service? :-) I can understand 50 or 75 or 100 but 68? Come on!

  4. Farid Tahery

    It's time for ICANN to make a change in the way new domain names are accepted. It's no longer enough to check for an exact duplicate when registering a new domain. The definition of uniqueness for domain names ought to be extended to also exclude domain names that can be used in typo-squatting or homograph attacks. After all, It's hard to imagine any legitimate usage for such domain names.

    1. Spryte · in reply to Farid Tahery

      I Second the Motion!!

  5. neil bryce

    Got one of these messages the other day,ignored it.

  6. Alisa

    Thanks for this, Graham. Good information to know & share widely.

  7. Spryte

    I've seen this before. There are apparently many characters that are so close to out chracter set that one can easily be tricked if one is not vigilant about the links one is going to click.
    If I find something suspicious I usually Copy and paste it into Notepad. Then I can inspect or Windows will give a message saying there are invalid characters.

  8. Adrian

    Can't always ditch them based on appalling grammar and weird non-native sentence structure, I've seen plenty of corporate emails that would be thrown out on that basis!

  9. Gabor

    It's should be corrected to "homoglyph attack" as the similarity of the characters are being exploited.

Leave a Reply to Alisa Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.