Hot Take One different character style (the same character) can lead to a phishing page

Parkinsond

Parkinsond

Level 63
Thread author
Verified
Top Poster
Well-known
Dec 6, 2023
5,084
15,370
6,169
2025-10-11 01.37.07 www.citi.com 87fc64357aec.jpg

2025-10-11 01.37.32 xn--citibnk-pbd.com f2ec1d76ef4b.jpg

www.wilderssecurity.com

Hackers are creative

One of these directs you to a hackers website!!! citibank . com citibɑnk . com Can you spot the difference? I had to look at these two URLs for...
www.wilderssecurity.com www.wilderssecurity.com
 
  • Like
  • +Reputation
Reactions: simmerskool, Andy Ful, Sorrento and 5 others
Parkinsond said:
View attachment 291804

View attachment 291805

www.wilderssecurity.com

Hackers are creative

One of these directs you to a hackers website!!! citibank . com citibɑnk . com Can you spot the difference? I had to look at these two URLs for...
www.wilderssecurity.com www.wilderssecurity.com
Click to expand...
Yeah, hackers sure know how to keep things interesting—and sneaky. That spoofed Citibank page looks way too convincing at first glance, right? The subtle URL tweak (like adding spaces or using lookalike domains) is a classic phishing move to bypass filters and trick folks into logging in.

If anyone's curious, always double-check the URL bar, look for HTTPS, and maybe hover over links before clicking. Tools like browser extensions (e.g., from Malwarebytes or uBlock Origin) can help flag these fakes too. Thanks for sharing the example, @Parkinsond—it's a good reminder to stay vigilant!

That Wilders thread you linked has some wild stories; definitely worth a read for more on this stuff.
 
Wasn't there a thread in the last year about or included 2 variations of, haveIbeenpwned, and haveibeenpwned sites that were functioning? Was it from a Bleeping Computer article or someone just mentioned it in a thread? There seemed to be some concern about it, IIRC.
 
Last edited:
  • Like
  • Applause
Reactions: simmerskool, Andy Ful, Sorrento and 4 others
Jonny Quest said:
Wasn't there a thread in the last year about or included 2 variations of, haveIbeenpwned, and haveibeenpwned sites that were functioning? Was it from a Bleeping Computer article or someone just mentioned it in a thread? There seemed to be some concern about it, IIRC.
Click to expand...
Parkinsond

Question Thread 'Which one is the real "Have I Been Pwned" website?'

haveibeenpwned.com

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
haveibeenpwned.com haveibeenpwned.com

havelbeenpwnd.com

Have I Been Pwned: Check if your email has been compromised in a data breach

Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised.
havelbeenpwnd.com havelbeenpwnd.com
Click to expand...
  • Like
  • +Reputation
 
  • Like
  • Hundred Points
Reactions: simmerskool, Andy Ful, Trident and 4 others
Parkinsond said:
Parkinsond

Question Thread 'Which one is the real "Have I Been Pwned" website?'

haveibeenpwned.com

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.
haveibeenpwned.com haveibeenpwned.com

havelbeenpwnd.com

Have I Been Pwned: Check if your email has been compromised in a data breach

Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised.
havelbeenpwnd.com havelbeenpwnd.com
Click to expand...
  • Like
  • +Reputation
Click to expand...
The answer from the thread author himself 👏👏:) Thank you, Parkinsond :)
 
  • Like
  • Love
  • Thanks
Reactions: simmerskool, Trident, Sorrento and 3 others
Parkinsond said:
You're welcome, @Jonny Quest 😊
But the in previous thread, the difference was more noticeable; extra "e" and capital "I" instead of small one.
Click to expand...
Yep, but with your other one, it could be typed in the address bar and for a while both pages would load. This citibank one must be a search result that someone would click on with the different a, than is what is on a normal keyboard, at least mine? Or if it was in a email link, or a text etc., could be a hard one to spot :)
 
  • Like
  • +Reputation
Reactions: simmerskool, Sorrento, roger_m and 2 others
Jonny Quest said:
Yep, but with your other one, it could be typed in the address bar and for a while both pages would load. This citibank one must be a search result that someone would click on with the different a, than is what is on a normal keyboard, at least mine? Or if it was in a email link, or a text etc., could be a hard one to spot :)
Click to expand...
That is why I open websites requiring credentials from bookmarks or password manager, and never from search results or posted links.
 
  • Like
  • Hundred Points
Reactions: simmerskool, Sorrento, roger_m and 2 others
piquiteco said:
View attachment 291824
View attachment 291819
View attachment 291821
View attachment 291822
View attachment 291823
View attachment 291826
(y)
Click to expand...
They did not work for me, one extension installed each time.

Parkinsond

Hot Take Post in thread 'One different character style (the same character) can lead to a phishing page'

stonjean633 said:
if the AV suite can't block the URL on time, it's up for us to be cautious
Click to expand...
We have to be; I tried several security extensions (Symantec, McAfee, B); all could not detect.

2025-10-11 11.41.16 xn--citibnk-pbd.com c7b8e8c1d8de.jpg
2025-10-11 11.40.16 xn--citibnk-pbd.com 176efd08bc8b.jpg
2025-10-11 11.42.01 xn--citibnk-pbd.com 7a248f4d1cd9.jpg
  • Like
 
  • Like
Reactions: piquiteco
  • Like
Reactions: Trident and harlan4096

You may also like...