BrianKrebsNov 16, 2022

A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian.

The U.S. financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team’s domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com.

Have a look at the Punycode in this Disneyland Team phishing domain: https://login2.xn--mirtesnbd-276drj[.]com, which shows up in the browser URL bar as login2.ẹmirạtesnbd[.]com, a domain targeting users of Emirates NBD Bank in Dubai.

Here’s another domain registered this year by the Disneyland Team: https://xn--clientchwb-zxd5678f[.]com, which spoofs the login page of financial advisor Charles Schwab with the landing page of cliẹntșchwab[.]com. Again, notice the dots under the letters “e” and “s”. Another Punycode domain of theirs sends would-be victims to cliẹrtschwạb[.]com, which combines a brand misspelling with Punycode.

Read more: https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/

Show threadBrianKrebs
The Disneyland Team aren't phishers, exactly. They use a version of the Gozi trojan to redirect victims to their fake bank page, which forwards traffic to and from the real bank site, and allows interaction with the bot/victim.
Nov 16, 2022 at 8:37pmWeb
Show threadNatanael ⚠️Nov 17, 2022
@briankrebs relay attack
Show threadNatanael ⚠️Nov 17, 2022
@briankrebs also this is literally exactly what WebAuthn is designed for, because that can not be relayed while maintaining plaintext access. Either you proxy the entire TLS connection to the correct domain, or it fails to authenticate.