Hackers Exploit Link Hovering to Steal Login Credentials

GoogIe, goog1e, goog/e, goog|e, G00gle, google, and google, are not Google. They are variations that hackers sometimes use to hide the name of the real site they want you to visit, because, when they get you there, they can take advantage of their ploy to steal your Google login credentials.

In the Edge browser:

GoogIe resolves to googie, a site for a real estate agency.

goog1e resolves to “Hmmm… can’t reach this page”. (Those are not the letter, ‘o’.)

goog/e redirects you to googe.com which redirects you to a page that says, “Thank You”.

goog|e, google, and google resolves to ‘ggle.com’ as the browser is programmed not to recognize symbols and suggests the Google Search page.

G00gle resolves to “Hmmm… can’t reach this page”.

This shows that putting look-alike symbols (homoglyphs) directly into the URL is generally blocked. Most big companies will buy up any URLs that are similar in any way to their names to prevent hackers from using them for nefarious purposes. However, hackers can make it look like you are going to a trusted site by using homoglyphs that appear in the mouse/cursor hover over function. Keep in mind that the age old advice of hovering over a link before navigating to it is still sound, it’s just that hackers have found ways to abuse this function.

So let’s say you want to use homoglyphs to trick people into visiting a site that looks like a login for a legitimate site. For purposes of this post, I’ll stick with the Google login page as being the legitimate site that the hacker wants to emulate. Well, first of all you need to search for good homoglyphs for the letters in the word, ‘Google’. No problem. There is a site that will help you with this called, Homoglyph Attack Generator. You simply type in the word you need homoglyphs for and it will give you a list of possible homoglyphs.

Eventually, following the directions will generate a link like this.

http://xn--l-fga43i81ba61r/

The xn-- indicates a punycode which in turn means that Unicode letters or numbers were converted to ASCII. This happens if foreign characters are registered in a URL. In order to navigate to these foreign sites, I’d need the browser to convert them. For example, this is a legitimate site, müller-büromöbel.de. Notice, however, that it has German characters in it that cannot be resolved as a normal ASCII characters, so the browser automatically converts it. The site’s punycode address is http://xn--mller-brombel-rmb4fg.de/. Again, the xn-- is an indicator that this is a punycode converted address. Typing this address into the address bar will lead you to an actual page on the internet.

Most browsers will resolve the punycode address with the German characters but will not resolve the address I created in the hover over. This seems to indicate that there are certain allowable characters, some of which may appear depending on your browser settings. If this is the case, any browser can be manipulated by these ploys. Anyway, for the sake of argument, let’s assume the fake Google punycode address I created actually leads to a legitimate foreign site. I will be referring to the Edge browser from hereon.

http://xn--l-fga43i81ba61r/

Now, if I received such a link, or saw such a link on the internet, I might be suspicious of the encoded name. But hover over the link in some browsers, applications, or emails and you’ll see the homoglyph link that I previously created.

Sure, if you look closely, it doesn’t exactly look like Google, but you could fine tune this if you wanted to. Nonetheless, you are still left with a strange URL. But there’s no reason we can’t change that. We can simply type in the site we want to lead the victim to.

http://Google/

Now, together with the hover over and homoglyph, the potential victim is far more likely to follow the link and be subjected to whatever attack we’ve prepared for them. Anyway, this is all just to show that the hover over event can, indeed, be manipulated, and probably better than I showed here.

This all leads us to a new attack vector known as the browser-in-the-browser attack (BITB). If you’ve roamed the internet long enough, you’ve undoubtedly encountered something like this when you try to navigate to certain sites.

In the code for any link is the href code. For the Google login shown above, it will look like this.

The person visiting the page will only see the word, ‘Google’ appear as the name of the link. When hovering, they will see the Gmail destination in the lower left corner of their screen, and, when clicked on, the user will be led to a login page as shown above, which will often have their Gmail address already filled in. A recent post shows how this can be abused. If the href is programmed to be ignored it will not go to the linked page but will still show the link destination. In the case above, hovering over the link will still show a link to Gmail.  But, as I understand it, the victim must be on a weaponized page to begin with. It’s just that when they call up the login screen, they think it is legitimate, since the link seemed valid. They do not think it is part of the website and not at all connected to Google. They will then login with their credentials and, in effect, give them to the hacker. The two hacks described above could be combined to get a victim to a target page and then launch the fake login page.

And, yes, this attack is now being used. Recent reports show that Belarus hackers are now using this BITB attack. Keep in mind that this could easily be tooled to have a user sign into a corporate or government network, so be sure your endpoints are secure, especially now that the US government has warned of a plague of cyber attacks from Russia and Belarus. The threat landscape is far more dangerous than it used to be and extra caution is advised.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s