We briefly mentioned this article as part of this week’s Security Box in passing for articles that I need for the podcast in two weeks. Well, I read it and it has nothing to do with the theme park at all, but a new threat actor group that Krebs is writing about.
There is a code out there called Puny code. This is the wikipedia page on punycode for those who want to read it, I’m providing it as a resource here so that when you read the linked article, you’ll have an idea of what is going on.
The article from Krebs on Security that caught my attention is titled Disneyland Malware Team: It’s a Puny World After All and I found it quite interesting.
Apparently, they go after financial networks, and they use similar domains to get their victims to click and give up whatever it is the group wants from them at that moment.
They built a web interface that allows them to work with victims in real time, says the article. Can you imagine working with someone who wants you to give up money or credentials by being logged in through some type of control panel?
The Disneyland Team uses common misspellings for top bank brands in its domains. For example, one domain the gang has used since March 2022 is ushank[.]com — which was created to phish U.S. Bank customers.
This is why we have been urging people to see where they are before giving up any type of information. In the following paragraph, Krebs uses brackets to mangle the domain so nobody clicks. That paragraph states:
But this group also usually makes use of Punycode to make their phony bank domains look more legit. The U.S. financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team’s domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ?meripris?.com.
The changes are mainly visual, and I have no idea how we would protect ourselves. If you use your arrow keys on the domain before we closed the quote, at least with Jaws, there are characters but it isn’t read. That could be our giveaway on whether we’re on the correct site if we were a customer of the bank or not. If any other reader reads that differently, please report to me so that I can mention it on a future podcast if this is talked about.
According to research done, this group is Russian speaking if not based there too. The research indicates that they’re not a phishing gang per se.
There’s plenty more to this, so please read this one, we may be targets if we haven’t been already.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.