Bittrex.com Unicode URL phishing scam

Submitted by gerry on Tue, 10/10/2017 - 15:30

I occasionally use Bittrex to trade cryptos and were it not for my password manager, I would probably have fallen victim to a pretty subtle phishing scam.. The scam relies on the fact that in the huge unicode character set, there are many glyphs that look very like standard the roman characters we are used to as far as URLs are concerned. Many browsers do not make any visual distinction either, so if a letter looks like an 'A' for example, only some digging will reveal that it is in fact another character entirely.

Compare this, the legitimate URL...

legit url

With this, the fake...

fake url

All looks OK at a glance, right? Even has a green 'site secure' SSL notification. However, notice what looks like a little comma under the 'r'? This is an entirely different character, which means that we are not at bittrex.com, we are at a phishing site. A pretty clever one too, as it turns out.

I didn't actually notice this at first. I use a password manager, Lastpass, which has a browser plugin that fills in credentials on recognised sites. In this instance, though, it failed to fill anything, which got me thinking.

I opened the 'site information' window and saw the following cookie...

cookie

I then remembered reading about Unicode URL hacks, and looked closer at the URL only to notice the little comma. xn--bittex-eib.com is rendered as bittŗex.com by the browser.

It seems that Google is returning an ad for this URL in its results for 'bittrex'.

google results

Thankfully this is as far as the scam got with me, but others may be less lucky.

Password managers and 2FA are a good line of defense against this sort of attack.

A Unicode encoder can be seen here: https://www.punycoder.com/

The registrar, namecheap.com and bittrex.com have both been notified since namecheap are identified in the whois record.
 

Domain name: XN--BITTEX-EIB.COM
Registry Domain ID: 2172486546_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2017-10-09T19:56:44.00Z
Creation Date: 2017-10-09T19:17:53.00Z
Registrar Registration Expiration Date: 2018-10-09T19:17:53.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: 
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID: 
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411 
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext: 
Registrant Fax: +51.17057182
Registrant Fax Ext: 
Registrant Email: [email protected]
Registry Admin ID: 
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard, Inc.
Admin Street: P.O. Box 0823-03411 
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext: 
Admin Fax: +51.17057182
Admin Fax Ext: 
Admin Email: [email protected]
Registry Tech ID: 
Tech Name: WhoisGuard Protected
Tech Organization: WhoisGuard, Inc.
Tech Street: P.O. Box 0823-03411 
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext: 
Tech Fax: +51.17057182
Tech Fax Ext: 
Tech Email: [email protected]
Name Server: rs60a.registrar-servers.com
Name Server: rs60b.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

 

 

As of October 13th, the domain has been cancelled and the account suspended. Thanks Namecheap!

 

 

 

 

 

 

 

 

 

 

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.