
Attackers Used Look-Alike Domains to Steal $1M from a Chinese VC - known
https://www.darkreading.com/attacks-breaches/how-attackers-used-look-alike-domains-to-steal-$1-million-from-a-chinese-vc-/d/d-id/1336547
======
miles
Firefox users: be sure to set "network.IDN_show_punycode" to "true" in
about:config.

Test with the fake Apple domain [https://www.xn--
80ak6aa92e.com/](https://www.xn--80ak6aa92e.com/) .

See "Phishing with Unicode Domains" for more information:
[https://www.xudongz.com/blog/2017/idn-
phishing/](https://www.xudongz.com/blog/2017/idn-phishing/) .

~~~
graton
For the situation in the article it would not have changed anything. As the
fake domains were just adding an 's' to the end of the domain.

Also I'm not sure what effect that will have for Chinese users. It might make
many of their URLs look strange to them.

See:
[https://www.reddit.com/r/firefox/comments/7ul9p3/why_is_netw...](https://www.reddit.com/r/firefox/comments/7ul9p3/why_is_networkidn_show_punycode_default_to_false/?st=k3vyesfg&sh=26d84cc0)

~~~
yorwba
I'm not aware of any Chinese websites that don't just use Pinyin for their
domain name. Some random person is squatting on [http://xn--wxtr44c.xn--
fiqs8s/](http://百度.中国/) (百度.中国), but Baidu doesn't seem to care. They use
[http://www.baidu.com/](http://www.baidu.com/) as their primary address.

~~~
thaumasiotes
> I'm not aware of any Chinese websites that don't just use Pinyin for their
> domain name.

There are tons. One prominent email provider is a three-digit number. There's
a job board at 51job.com.

(What's 51job? Read in Mandarin, that would be "wǔ yāo job" [five one "job"
(the English word)]. This is felt to sound similar to "wǒ yào job" 我要job [I
want a job].)

~~~
tluyben2
Why is 1 = yāo? It is yi isn’t it?

~~~
thaumasiotes
一 yi (tone varies based on phonological context) is the ordinary word for 1.

幺 yāo is a common word for 1 when vocalizing a stream of digits. (Such as a
phone number / credit card number / account number / etc.) I am told that this
originated as a way to easily distinguish 1 from 7 (七 qī) when communicating
over a low-quality connection. In the presence of static, yi and qi could
sound similar.

CC-CEDICT has a good gloss (
[https://www.mdbg.net/chinese/dictionary?page=worddict&wdrst=...](https://www.mdbg.net/chinese/dictionary?page=worddict&wdrst=0&wdqb=%E5%B9%BA)
):

> one (unambiguous spoken form when spelling out numbers, esp. on telephone or
> in military)

~~~
tluyben2
Thanks!

------
mmastrac
I heard this story from a local startup as well - an investor ended up losing
~$100k because the investor's email account was compromised and a lookalike
domain was used to impersonate the startup.

I've been calling people out-of-band for verification using phone numbers from
past communications, even if I'm working on transactions that don't seem out
of the ordinary. Not that SIM card fraud doesn't happen, but at least that
adds another layer of security.

~~~
westoque
Isn’t it time to see more widespread use of encryption in emails? What I’m
pertaining to is signing emails to make sure they are coming from correct
source.

~~~
bayarrhea
Encryption doesn’t help Unicode homoglyph attacks. I can send you encrypted
messages all day long from google.com, even though they’re not coming from who
you think they are.

~~~
pbhjpbhj
When I use the actual second party's public key, the decryption won't work
though, so you'd be found out immediately, surely?

~~~
mirimir
Exactly so.

------
tyingq
Reminded me of "bitsquatting":
[http://dinaburg.org/bitsquatting.html](http://dinaburg.org/bitsquatting.html)

I wonder if anyone is doing this regularly. I didn't hear much about it after
the initial fanfare.

------
rozab
Sounds like some brilliant social engineering went on. I'd love to read a more
in-depth write-up

------
EddieCPU
“Such scams .. show why secondary protection mechanisms — like verbal
confirmation — are necessary when making high-value transactions”

How about digital signatures and end-to-end email encryption.

~~~
chipperyman573
Encryption only verifies it hasn't been changed or viewed by a third party,
the original email contained the problem so you would just store an encrypted
string that would decrypt with the attack in it

------
victorfriedrich
How are these cases usually handled in court? Could the Chinese VC possibly
require the startup to pay damages over insufficient security measures?

~~~
duxup
Potentially but then that would probably mean their deal is off. ..not sure
they want that.

------
rdlecler1
Ask HN: How are other VCs dealing with this?

~~~
Havoc
No idea about VC, but in the PE space call-backs and standing data change
procedures are the answer.

Pretty safe if people actually follow procedures

------
anovikov
I'm thinking it might have quite likely been people from inside both the VC
firm and the startup to be funded, collaborating to phish the money away from
their companies...

