phishing security

Browser-Based Threat Alert: Disneyland Malware Team

Krebs on Security recently reported on a financial crimes group that calls itself “Disneyland Team” using a relatively uncommon phishing technique. The technique relies on a little-known feature built into most web browsers that renders domain names with non-Latin characters. Called Punycode, the feature takes a URL that uses special character strings and renders it using non-Latin characters.

The upshot is that attackers can register domain names that contain these special strings and the browser will render them in a way that can be used to deceive. All major web browsers will render these URLs with the associated characters, many of which closely resemble Latin ones. One domain used by the Disneyland Team attackers – https://xn--clientchwb-zxd5678f[.]com – will be rendered as cliẹntșchwab[.]com, which closely resembles a legitimate Charles Schwab client portal. Clicking on a link to that URL will present the user with a page that appears to be legitimate, down to the appearance of the URL if the user is attempting to use the techniques taught in standard phishing protection training.

Remote Browser Isolation and Phishing Protection to the Rescue

While this technique varies slightly from others we’ve previously posted on, at its core it still preys on users’ inherent trust of the brands and businesses they interact with every day. It’s especially dangerous, however, because it renders ineffective one of the key phishing protection measures that many users are taught: Checking the URL bar or hovering over a link to see the true URL it points at to verify that it’s legitimate. As in the case of the Charles Schwab example above, the differences between the legitimate domain and the exploitative one can be as small as a tiny dot below one of the characters.

These are the type of user trust attacks that ConcealBrowse defeats. Instead of allowing users to make decisions based on their own trust and ability to spot suspicious sites, ConcealBrowse relies on advanced phishing identification and an intelligence-fed decision engine to identify and block these attacks.

ConcealBrowse stops these deceptive domains from tricking users two ways. First, if the site contains logos for the brands the attackers are attempting to subvert, ConcealBrowse will identify the logo using AI algorithms and recognize that the domain is not legitimately tied to the company represented by the logo, blocking the user from entering their credentials. Second, if the site is not being used for phishing the URL is identified by the ConcealBrowse decision engine and opened in a remote browser isolation session. This allows users to continue to interact with the site while their identity is hidden, and all code is executed on a throw-away isolated browser instance in the cloud where it can’t affect your network. 

The Best Browser Security is Zero Trust at the Edge

Let us show you how ConcealBrowse can stop attacks that abuse users’ trust. Schedule a demo today and we’ll walk you through how your business can be protected from attacks like this one.