I occasionally use Bittrex to trade cryptos and were it not for my password manager, I would probably have fallen victim to a pretty subtle phishing scam.. The scam relies on the fact that in the huge unicode character set, there are many glyphs that look very like standard the roman characters we are used to as far as URLs are concerned. Many browsers do not make any visual distinction either, so if a letter looks like an 'A' for example, only some digging will reveal that it is in fact another character entirely.
Compare this, the legitimate URL...
With this, the fake...
All looks OK at a glance, right? Even has a green 'site secure' SSL notification. However, notice what looks like a little comma under the 'r'? This is an entirely different character, which means that we are not at bittrex.com, we are at a phishing site. A pretty clever one too, as it turns out.
I didn't actually notice this at first. I use a password manager, Lastpass, which has a browser plugin that fills in credentials on recognised sites. In this instance, though, it failed to fill anything, which got me thinking.
I opened the 'site information' window and saw the following cookie...
I then remembered reading about Unicode URL hacks, and looked closer at the URL only to notice the little comma. xn--bittex-eib.com is rendered as bittŗex.com by the browser.
It seems that Google is returning an ad for this URL in its results for 'bittrex'.
Thankfully this is as far as the scam got with me, but others may be less lucky.
Password managers and 2FA are a good line of defense against this sort of attack.
A Unicode encoder can be seen here: https://www.punycoder.com/
The registrar, namecheap.com and bittrex.com have both been notified since namecheap are identified in the whois record.
Domain name: XN--BITTEX-EIB.COM Registry Domain ID: 2172486546_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2017-10-09T19:56:44.00Z Creation Date: 2017-10-09T19:17:53.00Z Registrar Registration Expiration Date: 2018-10-09T19:17:53.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: +1.6613102107 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registry Registrant ID: Registrant Name: WhoisGuard Protected Registrant Organization: WhoisGuard, Inc. Registrant Street: P.O. Box 0823-03411 Registrant City: Panama Registrant State/Province: Panama Registrant Postal Code: Registrant Country: PA Registrant Phone: +507.8365503 Registrant Phone Ext: Registrant Fax: +51.17057182 Registrant Fax Ext: Registrant Email: [email protected] Registry Admin ID: Admin Name: WhoisGuard Protected Admin Organization: WhoisGuard, Inc. Admin Street: P.O. Box 0823-03411 Admin City: Panama Admin State/Province: Panama Admin Postal Code: Admin Country: PA Admin Phone: +507.8365503 Admin Phone Ext: Admin Fax: +51.17057182 Admin Fax Ext: Admin Email: [email protected] Registry Tech ID: Tech Name: WhoisGuard Protected Tech Organization: WhoisGuard, Inc. Tech Street: P.O. Box 0823-03411 Tech City: Panama Tech State/Province: Panama Tech Postal Code: Tech Country: PA Tech Phone: +507.8365503 Tech Phone Ext: Tech Fax: +51.17057182 Tech Fax Ext: Tech Email: [email protected] Name Server: rs60a.registrar-servers.com Name Server: rs60b.registrar-servers.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
As of October 13th, the domain has been cancelled and the account suspended. Thanks Namecheap!