Homoglyph Domains used in BEC Scams Shut Down by Microsoft


Staff member
Malware Hunter
Jul 27, 2015
17 domains used in Business Email Compromise (BEC) scams have been seized by Microsoft's Digital Crimes Unit (DCU), following an investigation by the software giant into attacks that could have stolen millions of dollars from innocent firms.

The "homoglyph" domains impersonated domains used by legitimate businesses, and were used in attempts to defraud Microsoft Office 365 customers. Homoglyph domains exploit the fact that many different characters look identical or very similar. For instance, the capital letter "O" and the number "0" (eg. MICROSOFT.COM vs MICR0S0FT.COM) or an uppercase ninth letter of the alphabet “I” and a lowercase 12th letter “l” (eg. MICROSOFT.COM vs. MlCROSOFT.COM). In the past, homoglyph attacks have also taken advantage of domains which contain Unicode characters (rather than conventional ASCII), allowing users to mistake - for instance - the Cyrillic "а" (U+0430) the ASCII character "a" (U+0061). They may look the same but they are different characters!

In a blog post, Microsoft said that it continued to see homoglyph domains used in BEC scams, nation state activity, and the distribution of malware and ransomware. As Microsoft explains in legal documents, attacks often combined with phishing attacks to steal credentials and break into the accounts of customers