The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

This method was inspired by a Subreddit post documenting a developer’s difficulties in identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. The researchers used “ᅠ” (called “HANGUL FILLER”) as its invisible Unicode character because it has the property ID_Start. These characters can appear in a JavaScript variable.

The following code snippet visualizes how the invisible character could go unnoticed by replacing the character in question with its escape sequence representation: const {timeout,  u3164} = req.query ;. A subsequent assignment retrieves the timeout and parameters “ᅠ” from req.query, and if the “ᅠ” is passed, it is assigned to the invisible variable.

Threat actors could execute arbitrary commands on the target operating system by passing the “ᅠ” parameter to the endpoint in its URL-encoded form. Wolfgang Ettlinger, of Certitude Consulting, points out that this approach cannot be detected by syntax highlighting, since invisible characters are not displayed at all and therefore cannot be identified.

On the possibility of detecting this variant of hacking in real scenarios, Ettlinger mentions that his team has not comprehensively analyzed the factors that could contribute to the mitigation of this risk or favor its exploitation, so it is not yet possible to determine what the danger is in nature.

As a possible security measure, the researcher recommends that developers protect their code from this kind of attack by prohibiting the use of non-ASCII characters. This would have no impact on their work, as non-ASCII characters are something very unusual in code development.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Resechers find new way to insert backdoor in JavaScript code with invisible characters appeared first on Information Security Newspaper | Hacking News.