On Monday, Microsoft said that it had obtained a court order to remove a number of malicious homoglyph domains that a criminal group had registered to spoof legal sites of various firms, mostly in North America.
Using alpha-numeric character similarities, hackers register homoglyph domains that closely resemble those of genuine organisations, but are actually controlled by unauthorised people.
Business email compromise (BEC) attacks are common, but nation-state adversaries and malware and ransomware distribution operations also use it for network compromise, combining credential phishing with account compromise.
Microsoft took action against a criminal gang that registered around 20 fraudulent homoglyph domains, mostly imitating the legal websites of small firms in North America in a variety of industries.
The financially motivated hackers, according to Microsoft, could be part of a large network centred in West Africa.
The attackers used stolen credentials and bogus domains to gain unauthorised access to and monitor accounts, gather intelligence, and impersonate Microsoft customers in order to dupe victims into sending money to them.
In a blog post, Microsoft stated, “Once the thieves obtained access to a network, they resembled customer personnel and targeted their trusted networks, vendors, contractors, and agents in an attempt to fool them into delivering or accepting fraudulent financial payments.”
The attackers used legitimate Office 365 e-mail communication to send an impersonation email from a homoglyph domain (with a single letter modified) and convince the recipient that the message came from a known trusted source in one case. They then claimed that the CFO had placed a hold on the account, requesting that a payment be made as soon as possible.
Redmond secured an injunction for third-party service providers to delete the bogus domains so that the attackers can’t continue their criminal conduct even if they shift their infrastructure outside the Microsoft ecosystem.
“The action will help us to further weaken the perpetrators’ capabilities and, more critically, acquire additional evidence to conduct future disruptions inside and outside of court,” Microsoft writes, noting that fraudsters are increasingly using homoglyph domains.