Hacker News new | past | comments | ask | show | jobs | submit login
Attackers Used Look-Alike Domains to Steal $1M from a Chinese VC (darkreading.com)
104 points by known 45 days ago | hide | past | web | favorite | 27 comments

Firefox users: be sure to set "network.IDN_show_punycode" to "true" in about:config.

Test with the fake Apple domain https://www.xn--80ak6aa92e.com/ .

See "Phishing with Unicode Domains" for more information: https://www.xudongz.com/blog/2017/idn-phishing/ .

For the situation in the article it would not have changed anything. As the fake domains were just adding an 's' to the end of the domain.

Also I'm not sure what effect that will have for Chinese users. It might make many of their URLs look strange to them.

See: https://www.reddit.com/r/firefox/comments/7ul9p3/why_is_netw...

I'm not aware of any Chinese websites that don't just use Pinyin for their domain name. Some random person is squatting on http://xn--wxtr44c.xn--fiqs8s/ (百度.中国), but Baidu doesn't seem to care. They use http://www.baidu.com/ as their primary address.

> I'm not aware of any Chinese websites that don't just use Pinyin for their domain name.

There are tons. One prominent email provider is a three-digit number. There's a job board at 51job.com.

(What's 51job? Read in Mandarin, that would be "wǔ yāo job" [five one "job" (the English word)]. This is felt to sound similar to "wǒ yào job" 我要job [I want a job].)

I should've written "... that don't just use ASCII characters instead of Hanzi." Of course domains using numbers or English words aren't Pinyin, but the point is that they don't require Punycode to represent.

Why is 1 = yāo? It is yi isn’t it?

一 yi (tone varies based on phonological context) is the ordinary word for 1.

幺 yāo is a common word for 1 when vocalizing a stream of digits. (Such as a phone number / credit card number / account number / etc.) I am told that this originated as a way to easily distinguish 1 from 7 (七 qī) when communicating over a low-quality connection. In the presence of static, yi and qi could sound similar.

CC-CEDICT has a good gloss ( https://www.mdbg.net/chinese/dictionary?page=worddict&wdrst=... ):

> one (unambiguous spoken form when spelling out numbers, esp. on telephone or in military)


The other day I was browsing a list of all my country's domains and noticed a bunch starting with xn-- and you just made me understand what these are.

None of them seem worth phishing for. In some cases when you google the site name, google will show results from sitename.tld and when you visit the site with the show_punycode true, it will actually load pages from the xn-- equivalent. So it looks like the "original" domain isn't even indexed or online at all.

In another case both the xn-- and "normal" domain sit side by side on the same server. I guess there's no harm in posting these:

cadzandie.be and xn--cadzandi-01a.be. Note there's no ë in the first domain

Another strange one is


When you type in remboursé.be it actually redirects (?) to the xn-- equivalent.

I'm fascinated but having a hard time seeing sense in this.

I heard this story from a local startup as well - an investor ended up losing ~$100k because the investor's email account was compromised and a lookalike domain was used to impersonate the startup.

I've been calling people out-of-band for verification using phone numbers from past communications, even if I'm working on transactions that don't seem out of the ordinary. Not that SIM card fraud doesn't happen, but at least that adds another layer of security.

Isn’t it time to see more widespread use of encryption in emails? What I’m pertaining to is signing emails to make sure they are coming from correct source.

As bayarrhea points out, a signature doesn't help you if the attack model is "lookalike domain".

Email validation exists; gmail will let you know if email arrived over TLS or not. Validation that the source of an email matches the "From:" header is generally done by checking the domain's SPF record.



Encryption doesn’t help Unicode homoglyph attacks. I can send you encrypted messages all day long from google.com, even though they’re not coming from who you think they are.

If you are using web of trust in a gpg style then homoglyph attacks are not particularly effective..

If you are using CAs then homoglyph attacks are the simplest of many attacks based on a system of minimal technical compliance.

if you don't care about unicode domains then mitigation can be very simple using dnsmasq, e.g.:

in /etc/dnsmasq.conf add something like:

  # Add domains which you want to force to an IP address here.

(in case your dnsmasq doesn't support this then there is a patch here: https://github.com/spacedingo/dnsmasq-regexp_2.76)

You wouldn't be able to sign the fake message with the fake domain unless you compromised the sender's PGP private key, which was not the vector of this attack.

When I use the actual second party's public key, the decryption won't work though, so you'd be found out immediately, surely?

Exactly so.

Reminded me of "bitsquatting": http://dinaburg.org/bitsquatting.html

I wonder if anyone is doing this regularly. I didn't hear much about it after the initial fanfare.

Sounds like some brilliant social engineering went on. I'd love to read a more in-depth write-up

“Such scams .. show why secondary protection mechanisms — like verbal confirmation — are necessary when making high-value transactions”

How about digital signatures and end-to-end email encryption.

Encryption only verifies it hasn't been changed or viewed by a third party, the original email contained the problem so you would just store an encrypted string that would decrypt with the attack in it

How are these cases usually handled in court? Could the Chinese VC possibly require the startup to pay damages over insufficient security measures?

Potentially but then that would probably mean their deal is off. ..not sure they want that.

Ask HN: How are other VCs dealing with this?

No idea about VC, but in the PE space call-backs and standing data change procedures are the answer.

Pretty safe if people actually follow procedures

anovikov 45 days ago [flagged]

I'm thinking it might have quite likely been people from inside both the VC firm and the startup to be funded, collaborating to phish the money away from their companies...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact