RedPacket SecurityJan 15

Inside RedVDS: How a single virtual desktop provider fueled worldwidecybercriminal operations - https://www.redpacketsecurity.com/inside-redvds-how-a-single-virtual-desktop-provider-fueled-worldwidecybercriminal-operations/

#threatintel
#RedVDS
#Phishing
#BEC
#Homoglyphs
#Threat Intelligence

Inside RedVDS: How a single virtual desktop provider fueled worldwidecybercriminal operations - RedPacket Security

Over the past year, Microsoft Threat Intelligence observed the proliferation of RedVDS, a virtual dedicated server (VDS) provider used by multiple financially

RedPacket Security
Anthony KraudeltApr 5, 2025

A homoglyph attack involves a deception technique used by threat-actors to register domain names that closely resemble legitimate domains, often using characters that look nearly identical.

This approach exploits users causing them to mistakenly visit the fraudulent site, thinking it's the real one. This attack is particularly successful when browsing on a mobile device. On mobile, domains are sometimes difficult to view because of fonts and screen sizes.

For example, a threat-actor could register "G00GLE.com" instead of "GOOGLE.com," using zeroes instead of "o"s, but it's not always obvious changes like O's and 0's. It can also include the use of similar characters from other languages.

Could you spot these differences?

1. gοοgle.com (Uses Greek "ο" instead of Latin "o")
2. microsοft.com (Similar trick with Greek "ο")
3. paypaI.com (Uses capital "I" instead of lowercase "l")
4. facebοok.com (Uses Cyrillic "о" instead of Latin "o")
5. amazοn.com (Swaps Latin "o" with Cyrillic "о")

***LinkedIn warned me it could not load the above links.***

So how can we thwart homoglyph attacks?

1. Double check URLs carefully – Review the domain name closely before clicking on links, especially in emails or messages. Pay attention to any unusual characters. If you received an email from someone, instead of using the link in any message, use a known good link. This can be from a trusted app, browser bookmark or from a password manager.

2. Use Multi-Factor Authentication (MFA) – Even if credentials are stolen through a phishing site, MFA adds an extra layer of security by requiring additional verification. Please be aware, threat-actors are not using automation to man-in-the-middle MFA to gain access to accounts and make account changes in near real time.

3. Employ domain monitoring tools – Organizations can use services that detect fraudulent domains impersonating their brand and take action against them. Many endpoint detection and response platforms conduct domain checks for suspicious activity.

4. Check for HTTPS & Security Certificates – Ensure that a website is encrypted and secure. However, note that attackers can still obtain HTTPS certificates for fake sites, so this alone isn’t enough. Most modern web browsers automatically prevent accessing unencrypted domains, do not click through on screen warnings.

Vigilance, security tools and a keen eye are all needed to reduce these types of attacks from being successful.

#CyberSecurity #Cyber #homoglyphs #HomoglyphAttacks #ThreatActors

83r71nJul 15, 2024

A recent cybersecurity study revealed a sophisticated malware campaign targeting NuGet, a package manager for .NET applications. Attackers used homoglyphs, characters that look similar but have different codes (for example, the number '0' and the letter 'O', or the lowercase 'l' and the uppercase 'I'), to create fake packages that seemed legitimate but contained malicious code. They also employed IL weaving, a method that alters .NET binaries to insert harmful modules disguised as legitimate ones. This campaign involved around 60 packages and 290 versions, highlighting the need for increased vigilance in software supply chains.

https://thecyberexpress.com/homoglyphs-il-weaving-malicious-nuget-campaign/

#cybersecurity #NuGet #malware #homoglyphs #ILWeawing #malwarecampaign #DotNet #CodeInjection #SecurityResearch

Malicious NuGet Packages Hidden With Homoglyphs and IL Weaving

A sophisticated malware campaign targeting the NuGet package manager employed advanced techniques such as homoglyphs and IL weaving to evade detection.

The Cyber Express
Show threadDoc Edward Morbius ⭕​Feb 16, 2022

@charlotte There are certainly contexts in which Unicode unambiguously and demonstrably leads to security weaknesses and issues. See generally homoglyph attacks.

At the heart of the lie and damage is the existence of a message which appears to say one thing but in fact says something different. It's the very limited nature of 7-bit ASCII, 128 characters in total, which provide its utility here. Yes, this means that texts in other languages must be represented by transliterations and approximations. That's ... simply a necessary trade-off.

We see this in other domains, in which for the purposes of reducing ambiguity and emphasizing clarity standardisation is adopted.

Internationally, air traffic control communications occur in English, and aircraft navigation uses feet (altitude) and nautical miles (dstance) units.

Through the early 20th century, the language of diplomacy was French. The language of much scientific discourse, particularly in physics, was German. And for the Catholic Church, Latin was abandoned for mass only in the 1960s.

Trading and maritime cultures tend to creat pidgin languages --- common amongst participants, but foreign to all, as distinguished from a creole, an amalgam language with native speakers.

A key problem with computers is that the encodings used to create visual glyphs and the glyphs themselves are two distinct entities, and there can be a tremendous amount of ambiguity and confusion over similarly-appearing characters. Or, in many cases, glyphs cannot be represented at all.

Where the full expressive value of language is required --- within texts, in descriptive fields, and in local or native contexts, I'm ... mostly ... open to Unicode (though it can still present problems).

Where what is foremost in functionality is broad and universal understanding, selectinga small standardised and widely-recognised characterset has tremendous value, and no amount of emotive shaming changes that fact.

As an example, OpenStreetMap generally represents local place names in local language and charactersets. This may preserve respect or integrity to the local culture. As a user of the map, however, not knowing that language or charcterset, it is utterly useless to me. Or, quite frankly, anyone not specifically literate in that language and writing system.

It's worth considering that the characterset and language in question are themselves, adoptions and impositions: English was brought into Britain by invaders, the alphabet used itself is Roman, based on Greek and originally Phoenecian glyphs. English has adopted or incorporated terms from a huge set of other languages (rendering its own internal consistency ... low ... and making it confusing to learn).

International communications and signage, at airports, on roadways, in public buildings, on electronic devices, aims at small message sets and consistent, widely-recognised symbols, shapes, fonts, and colours. That is a context in which the freedoms of unfettered Unicode adoption are in fact hazardous.

(Yes, many of those symbols now have Unicode code points. It is the symbol set and glyph set which is constrained in public usage.)

And the simple fact is that a widely recognised encoding system will most often reflect on some power structure or hierarchy, as that's how these encodings become known --- English, Roman Alphabet, French, German, Latin, etc. Small minor powers tend not to find their writing systems widely adopted (yes, there are exceptions: use of Greek within the Roman empire, Hindu numbering systems). Again, exceptions.

#unicode #risk #complexity #constraints #homoglyphs #HomoglyphAttacks

Terence EdenMar 4, 2020

It is spelled "URl"

https://shkspr.mobi/blog/2020/03/it-is-spelled-url/

#homoglyphs #homograph #troll

It is spelled "URl"

There are many sectarian divides in computer. "Little-Endians" and "Big-Endians" wage bitter war against each other over the order of bits. Should line in text files end with \r\n or just \n? And both vi and emacs users fight betwixt themselves while ignoring the superior foe - nano. Perhaps the most contentious of these is the battle between URI and URL. Should we refer to links on the web…

Terence Eden’s Blog
Terence Eden’s BlogMar 4, 2020

It is spelled "URl"
https://shkspr.mobi/blog/2020/03/it-is-spelled-url/

There are many sectarian divides in computer.

  • "Little-Endians" and "Big-Endians" wage bitter war against each other over the order of bits.
  • Should line in text files end with \r\n or just \n?
  • And both vi and emacs users fight betwixt themselves while ignoring the superior foe - nano.

Perhaps the most contentious of these is the battle between URI and URL. Should we refer to links on the web as Uniform Resource Identifiers or Locators? Obviously there is a correct answer - and anyone who disagrees is a heretic.

So, I've come up with a compromise guaranteed to annoy satisfy everyone - URl.

That's upper-case U, upper-case R, lower case L.

Perfect!

https://shkspr.mobi/blog/2020/03/it-is-spelled-url/

#homoglyphs #homograph #troll

It is spelled "URl"

There are many sectarian divides in computer. "Little-Endians" and "Big-Endians" wage bitter war against each other over the order of bits. Should line in text files end with \r\n or just \n? And both vi and emacs users fight betwixt themselves while ignoring the superior foe - nano. Perhaps the most contentious of these is the battle between URI and URL. Should we refer to links on the web…

Terence Eden’s Blog