Convincing Google Impersonation Opens Door to MiTM, Phishing

Would you (more importantly, your users) spot the difference?…:

[…] As an example, this URL uses a homographic character as its first character: “ɢ” That can be compared to the legitimate “” font — there’s a barely discernable difference.

Lumelsky noted that a few years ago someone bought the homographic-including “ɢ” to use it for phishing purposes.

“I wondered to myself: There are new top-level-domains every year. Did the world learn from the ɢ acquisition? How hard is it to create a good Google phishing website from scratch?”

Setting out to find out, the researcher turned to the main domain registrars – GoDaddy, Namecheap and even Google Domains – to first see if he could snag appropriate URLs. He found the process to be so simple that a basic search resulted in a dozen suggestions for available domain names, including ɢ; ɢ; ɢ; ɢ and even ɢ, all for what Lumelsky said was a “great” price. He purchased a handful of them, using an obviously fake identity that included “Not Google :)” as the company name.

After that, he was able to set up a virtual private server in the cloud to host the domains; and he also requested a LetsEncrypt certificate to “safeguard” traffic to and from the sites – and get around security red flags from browsers. Chrome for instance showed the domains as “Secure” (with a lock icon) thanks to the certificate.

“Now, one can use https:// links to gain trust, while providing malicious content,” Lumelsky said.

The next step was routing the sites’ domain name server (DNS) traffic to the cloud server. DNS translates human-readable website names to machine addresses, which enables most internet interactions between sites, plugins and the like. He also set up a nginx proxy, masking the true destination of any request to the site’s DNS server. And to seal the deception, he also used Google’s JavaScript code from the legitimate site as the code for his own.

“The great thing about using a proxy is that my domain’s links previews, in every single platform, fetches Google Translate’s exact description while pointing to my link,” the researcher explained. “[Also,] Google’s JS runs normally from my domain.”

In all, Lumelsky said that it was a simple affair to set up a very convincing fake domain – it took minutes, with no coding, he explained. Further, “on mobile phones, the ‘ɢ’ in my domain looks like an actual ‘G,’” he said.


Original article here