The claim: Hackers use visually similar characters to deceive people in online phishing schemes
Online attackers bent on stealing personal information are using a visual deception to trick people into visiting malicious websites, a post circulating on social media claims.
The April 20 Facebook post shows two web addresses that, at first glance, appear identical. A closer look, though, shows that one character – in this case, the letter “a” – is slightly different in each one.
“An average internet user can easily fall for this,” the post reads. “Be careful for every mail requiring you to click on a link.”
The post has been shared hundreds of times on Facebook.
The claim appears to be true. Credible sources dating back to the early 2000s give a similar warning against this kind of “spoof” of the website a user intends to visit. But similar exploitations have emerged recently as well.
The user who shared the post could not be reached for comment.
How does the attack work?
The attack is a form of “spoofing,” when someone poses as a legitimate institution in an attempt to obtain personal information.
Most people by now have gotten a little bit suspicious. ... The idea is how can they trick you into thinking you know who it is or what it is when it isn’t,” said Stuart Madnick, founding director of Cybersecurity at MIT Sloan.
In this instance, it exploits the visual similarities between characters in the Roman alphabet used in the English language and the Cyrillic alphabet, which Britannica.com said was developed for Slavic-speaking people and is used in more than 50 languages, including Russian.
Substituting Cyrillic characters for Roman letters that look similar, such as the lowercase “a,” hackers can direct a user who intended to visit one website to another. Madnick said there are other ways to deceive without changing the alphabet, such as replacing a lowercase "L" with a capital "I" in some fonts.
“Instead of going to a legitimate site, you may be directed to a malicious site, which could look identical to the real one,” notes a 2008 security notice from the U.S. Cybersecurity Infrastructure Security Agency. “If you submit personal or financial information while on the malicious site, the attacker could collect the information and then use and/or sell it."
How do you avoid falling into the trap?
Spoofed hyperlinks and websites are a red flag for a potential attempt to steal personal information, according to CISA, part of the U.S. Department of Homeland Security. CISA recommends three steps to avoid falling victim to the scheme:
- Avoid clicking on links and instead type the web address into an internet browser.
- Keep web browsers up to date because older versions have fewer protections in place.
- Hover over links before clicking on them to see the true destination. If the web address the link directs to is unfamiliar, it might be an attempt to deceive you.