Can you see why this WhatsApp message can't be trusted?

Homographic attack on WhatsApp users.

Can you see why this URL can't be trusted?

Take a look at the above message that WhatsApp users have reported being sent to them via the messaging app. It claims that there is a free £250 voucher up for grabs which you can use to buy your groceries at an ASDA supermarket. Other versions claim that similar vouchers are available for Tesco and Marks & Spencer.

But can you see why you should be wary of clicking?

Well, not only does it sound too good to be true, but take a closer look at that URL the message says you should click on.

Fake asda

Do you see the little mark above the "d" in "Asda"? It's not a speck of dirt on your smartphone's screen.

The "d" in the URL is in fact a "đ" (also known as a crossed d, or a d-stroke.

That's easy enough to tell when you see the image blown up on your desktop computer screen, but it's a lot harder to spot when it appears in a WhatsApp message on your smartphone.

The character đ (Unicode U+0111) may not be used in English, but it is used in several other languages - and it turns out that technology's ability to support a wide variety of languages comes at a cost.

What you're seeing here is called a homograph attack, which exploits the fact that many different characters look alike. It's a technique that has made it trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links.

Phishers, for instance, love to use the trick to dupe you into thinking you are entering your credentials into your bank's legitimate website

The latest spate of messages seen being spread on WhatsApp, as reported by The Mirror and Action Fraud, are not unique attacks, but are worth bearing in mind, when you receive suspicious messages via WhatsApp, SMS, Facebook Messenger, and so on.

Take care out there.

(Visited 4,801 times, 2 visits today)

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

9 Responses

  1. Andrew

    November 7, 2017 at 3:04 pm #

    Thanks for pointing this out. You could also mention that it is very important for people to recognise the writing style of the people that sent the message. It should be clear to many people and easier to spot a stupid spelling mistake like "thanks me later"

  2. furriephillips

    November 7, 2017 at 3:27 pm #

    Also, LOL @ d-stroke ;)

  3. Mark Jacobs

    November 7, 2017 at 5:46 pm #

    Why on earth would Asda be celebrating "68 years" of service? :-) I can understand 50 or 75 or 100 but 68? Come on!

  4. Farid Tahery

    November 7, 2017 at 8:16 pm #

    It's time for ICANN to make a change in the way new domain names are accepted. It's no longer enough to check for an exact duplicate when registering a new domain. The definition of uniqueness for domain names ought to be extended to also exclude domain names that can be used in typo-squatting or homograph attacks. After all, It's hard to imagine any legitimate usage for such domain names.

    • Spryte in reply to Farid Tahery.

      November 9, 2017 at 4:08 am #

      I Second the Motion!!

  5. neil bryce

    November 7, 2017 at 9:54 pm #

    Got one of these messages the other day,ignored it.

  6. Alisa

    November 8, 2017 at 9:41 am #

    Thanks for this, Graham. Good information to know & share widely.

  7. Spryte

    November 9, 2017 at 4:39 am #

    I've seen this before. There are apparently many characters that are so close to out chracter set that one can easily be tricked if one is not vigilant about the links one is going to click.
    If I find something suspicious I usually Copy and paste it into Notepad. Then I can inspect or Windows will give a message saying there are invalid characters.

  8. Adrian

    November 9, 2017 at 4:45 am #

    Can't always ditch them based on appalling grammar and weird non-native sentence structure, I've seen plenty of corporate emails that would be thrown out on that basis!

Leave a Reply