Hey Qantas, we think we stopped a major incident for you. That’ll be $10.95 thanks!

Last Updated 8th Dec 2023

It’s a long story. But a good one, I promise you.

I just hope someone tags Qantas and they let us transfer them the domain… Let me explain.

Long live AI

Here at Sabiki Security we have a wide variety of nerds geniuses at our disposal. From Data Scientists, Threat Researchers and just some old school Cyber guys that have been around the block a few times. So, it wasn’t that surprising that the stars aligned and we uncovered this, and it’s a great example of why the bad guys are causing us all sleepless nights.

A solution designed to tackle one of the biggest problems in the industry (Phishing attacks), Sabiki Email Security unapologetically leverages AI to see things the human eye can’t. It was while reviewing an interesting Phishing sample with a customer this week that used Internationalized Domain Names (IDNs) to trick users, one of our contacts casually mentioned an interaction on a Russian Dark Web forum and this is where things got interesting.

IDNs

Let’s start with IDNs, what they are, why the bad guys love them, and why we can confidently say no amount of user enablement is likely to save you from something our AI model picked up in a millisecond.

Born in the Asia-Pacific region, its natural for our team (and our Email Security platform for that matter) to understand multiple languages and alphabets. For the wider internet and for the sake of DNS servers worldwide, domains that support the use of characters other than “English” there is something called a Punycode address they are mapped to that are in “English”.

Without going off on a tangent explaining ASCII, Punycode, Unicode and so on, here is a well cited example when explaining the topic.

For coffee chain Starbucks, their local Korean website is actually 스타벅스.com but because DNS does not understand these non-English characters, DNS servers all over the Internet translate this request as xn--ik3bz5iba065l.com

Go on, click that link and check it out... pretty cool huh?

You can probably see where this is all going.

There are some languages whose alphabets have characters that are strikingly similar to English, and the bad guys try and manipulate this to Phish users.

The sample we were reviewing for a customer was exactly this, a Phish trying to get the user to go to a domain that had a mixture of English and Cyrillic characters that to the naked eye looked totally legitimate. Sabiki blew it away without a millisecond of thought.

Yay! 

To be fair, Cybersecurity companies have been talking about this for years, there are also specific browser settings and browsers for that matter that *should* easily uncover “punycode” based Phishing attack, but if we blanket the Internet with enough of our Phishing emails we are likely to get a hit.

(Try out our ‘Punycode’ Phishing domain later in this post to see if you actually get anything…)

This is where a chance encounter on the good old DamageLab Russian hacking forum (now known as XSS) yielded a disturbing request.

From Russia with Love

Security specialists are all over forums such as this, most probably have their own accounts. It’s also not uncommon for independent researchers to skate on thin ice and have some insight and reputation among the lower echelons of hacking groups.  

When discussing the Phishing sample we saw with an old friend, who happens to be a security specialist, who happens to speak Russian; he mentioned receiving a private message asking if he could translate and colloquialise a Phishing template into the Australian vernacular, someone had put out a fraction of a Bitcoin as bounty for the task.

Interesting. We got the tip off but then also got sent a link to an encrypted file sharing platform where the template the hacker wanted to use was sitting. A bit lazy, doesn’t look like anything nation state related, and it looks like they shared a bit more than they should have…

From the above screengrab what you are seeing is a directory roughly translated as ‘Christmas project’ and two files. One called ‘project’ and the other literally being ‘ryba’ the Russian word for ‘fish’.

The project file was basically a clone of the Qantas login page

More interestingly we have the email template

For any Cybersecurity people out there, what stands out for you in this template?

Obviously, it’s not the complete Phish, and the attacker (who at this point is looking quite amateurish) looks like he needs a lot of help…

- We know this request came off a Russian dark web forum, so not surprising there are the words in the middle translated as ‘Main text’ in Cyrillic. Ok, so that’s where the attacker wants an English message that will entice the user to click.

-  With contextual knowledge, we can also see it does not match the exact template from the Qantas Frequent Flier program, a legitimate communication would have the member’s details and points balance above the main image of the email.

-  The most interesting thing to me (and it took me a while) is eventually I realized the URL pasted in the body is going to be used as a Punycode attack (it’s technically called a homograph attack actually)!

Look at the first letter ‘a’… zoom in, you’ll see it..

See that ‘dot’ underneath the first ‘a’? That my friends is NOT dust on your screen and also is NOT an English character. Cross referencing the code in the HTML file, we also see a mixture of references to that bogus Qantas address too.

It’s pretty obvious by now what the attacker is trying to setup here, and fortunately for us he did overshare a half-completed attack so we have enough to understand exactly what the play is here…it’s the 2018 Air France incident all over again.

Back in 2018 attackers defrauded Air France customers via PII theft using a WhatsApp message that contained a bogus Air France URL www.airfrnce.com it was quite smart the attackers used WhatsApp considering the potential layers of browser based and web based scanned are almost non-existent on mobile devices.

Défense in depth?

But how is this attack on Qantas going to play out?

Is the attacker going to run the gauntlet of multiple security layers that exist with Email, Web and Browser?

Do they have a list of customers, or are they just going to blanket phish a huge email list?

Will they spoof the Qantas Frequent Flier address? Probably.

It sure is a timely type of attack with Olivia Wirth, the head of Qantas’ Frequent Flier program just announcing she is stepping down. A Phishing campaign is often quite successful when it touches on an event or news that the general public are aware of, so if I were crafting such a campaign I would certainly refer back to this somehow. 

 

Team Sabiki steps in

After realizing what the attacker was planning, we naturally went to the URL www.qạntas.com to investigate further, alas it was not yet registered!

So being the good corporate citizens we strive to be, we registered the domain as you can see below:

So, Qantas, let’s do lunch in one of your Frequent Flier lounges sometime (I love your coffee by the way) and we can transfer the domain ownership over to you. We stopped short of forwarding the domain to our homepage www.sabiki.ai for a shameless marketing stunt because we genuinely love the emphasis you as an organization put on Cybersecurity, but thought it would be an interesting article all the same.

On a more serious note, this proves a few things.

Email is not ‘sorted’. No matter how boring you may find email security it is still the kick off point for a vast majority of attacks currently, from credential theft to full blown Ransomware outbreaks. It is the single medium by which the attacker can test the mightiest and least of your users and really deserves a bit more attention as well as investment.

It also proves that no matter how good an organization is in term of their own Cybersecurity posture, they have very little control over what they bad guys would at least try. Why should their name be dragged through the mud if a campaign like this were to eventuate? There is almost nothing they could be doing more, or better to protect their Frequent Flier customers. But can you imagine the media this would create?

 

Each email receiving organization should do their part to disrupt such attacks from potentially having an impact. There are multiple settings in the browser, on Web filtering products and Firewalls that can block or at least expose ‘Punycode URLs’ such as these which will make things more obvious to the user if they do unfortunately get suckered in to clicking the link.

For Email administrators out there, if you are not currently using a newer generation Email Security solution such as ‘Sabiki Email Security for Microsoft 365’ that leverages a dynamic, trainable AI engine, I suggest you take steps to manually add rules to look for, and block variations of the Qantas website this coming holiday season (a regex based rule should do the trick).

Because if you are sitting there right now and clicking on the link www.qntas.com actually takes you through to our domain registrar’s landing page, I’ve got some bad news for you…

Developed by Email Security Professionals and Data scientists with decades of experience to make life easier for customers and MSPs alike, Sabiki Email Security is a cloud-native 'built-for Microsoft 365' SaaS solution that protects your organization from Phishing, Spam and targeted scams using the power of a dynamic AI feedback loop engine. Powered by a 'Dynamic' Machine Learning engine in combination with next-generation contextual and behavioral analysis capabilities, Sabiki Email Security provides an incredible level of granularity in engine customization with seamless onboarding and operation.