A quizzle for the weekend: Which of the following domains is most likely a malicious one? Look closely!
ԁeutsche-telekom.de
sparkasse-ԁarmstadt.de
cloud.sessionID.cf.373.tw/323.fra.commerzbank.de
Quite simple, some will say. Others claim they never fail to phishing mails or open unknown file attachments. This always happens to the others! Whoever knows such a person may pass this quiz to him or her.
Solution
Even if the first two domains seem familiar, they do not lead to where you expect. The “d” in deutsche-telekom and sparkasse-darmstadt is a cyrillic “d” and hardly distinguishable from our latin one. Technically it is a completely different letter. A look into the source code reveals the difference:
ԁeutsche-telekom.de
When inserted and opened in the web browser, the actual spelling in the DNS becomes clear:
xn--eutsche-telekom-dcp.de
It maybe too late when discovered in the web browser - the page has been opened and a malware dropped. Therefore recommendations to copy links from e-mails to the clipboard and into the browser are misleading and not preventing this at all.
The last domain, on the other hand, is a classic phishing domain. Registered with the TLD country code .tw somewhere in Taiwan, a domain of Commerzbank is feigned.
All three domains are highly likely to be malicious and should not be visited. Would you have known that? And besides Cyrillic characters, there are a lot more characters in different languages. This leads us to the consequence and best practice:
Do not click on links in mails, chats, PDFs and Office documents!
You are welcome.
Tomas Jakobs