June 18, 2021 | 00:10
Reading-Time: ca. 2 Min

Quiz for more best practice and awareness

A quizzle for the weekend: Which of the following domains is most likely a malicious one? Look closely!

ԁeutsche-telekom.de
sparkasse-ԁarmstadt.de
cloud.sessionID.cf.373.tw/323.fra.commerzbank.de

Quite simple, some will say. Others claim they never fail to phishing mails or open unknown file attachments. This always happens to the others! Whoever knows such a person may pass this quiz to him or her.

Solution

Even if the first two domains seem familiar, they do not lead to where you expect. The “d” in deutsche-telekom and sparkasse-darmstadt is a cyrillic “d” and hardly distinguishable from our latin one. Technically it is a completely different letter. A look into the source code reveals the difference:

ԁeutsche-telekom.de

When inserted and opened in the web browser, the actual spelling in the DNS becomes clear:

xn--eutsche-telekom-dcp.de 

It maybe too late when discovered in the web browser - the page has been opened and a malware dropped. Therefore recommendations to copy links from e-mails to the clipboard and into the browser are misleading and not preventing this at all.

The last domain, on the other hand, is a classic phishing domain. Registered with the TLD country code .tw somewhere in Taiwan, a domain of Commerzbank is feigned.

All three domains are highly likely to be malicious and should not be visited. Would you have known that? And besides Cyrillic characters, there are a lot more characters in different languages. This leads us to the consequence and best practice:

Do not click on links in mails, chats, PDFs and Office documents!

You are welcome.

Tomas Jakobs

© 2022 Tomas Jakobs - Imprint and Legal Notice