Backwards phishing with Unicode – edocinU htiw gnihsihp sdrawkcaB

How do you verify the validity of a URL before you click it in an email? What about checking the file extension of a file before you open or execute it?

You have a look at it, right? You make sure the URL is legitimate, the TLDs are correct etc. You look at the file extension and make sure there’s no funny business going on. No .pifs, no .exes, no .bats etc.

We were doing a forensic investigation in to some card fraud recently and noticed a really nifty ingress vector. It was an old school phishing attack with link to a site they used pretty heavily.

Yet, on clicking, they were dropped on to a rogue scrape of the legitimate site, complete with a drive-by exploit. The victim was pretty tech savvy, and couldn’t figure out how they had fallen for the scam.

Turns out that the attacker had been using the Unicode reverse character U+202E to obfuscate the URL. Here’s how it works:

The character is here, in between the brackets:
(‮‮(

Looks invisible but it is there, I promise, though your browser might cause issues. Copy and paste both brackets (persevere, it’s NOT easy!) in to a text editor such as WordPad or Notepad.

Once pasted put your cursor between the brackets and type. Watch the text reverse. If it doesn’t work, move your cursor right and try again. It’s counter-intuitive so keep trying. Reversing characters might hurt the brain a bit, until you’ve figured it out.

So, you send a link to your evil hacker site, but obfuscate it. Here’s how;

Paste the reverse character, then type your evil site URL. Enter a separator such as ? then type the URL of the site you want to hide it with.

You actually type:

http://www.evilsite.co.uk?ku.oc.cbb.www//:ptth

…but if you enter the reverse character first, it will be displayed as:

http://www.bbc.co.uk?ku.oc.etislive.www//:ptth in the link you send.

Can’t be anything wrong with the good old BBC web site, surely! BTW – we own evilsite.co.uk, so you should be OK following the link :-)

Now, we didn’t go to much trouble to obfuscate the URL, but one could do so much more to hide it if you wanted.

You might find some of the text reversing web site out there quite useful, so you know what to type backwards without brain-ache.

You can also insert the reverse character mid-way in to text, but it gets really confusing when trying to type, as you can’t see the character and navigation gets really complex. Try it!

e.g. annfdp.exe can be changed annexe.pdf. much more plausible, don’t you think?

However, it appears that the reverse character isn’t interpreted in a file name, which makes the goal of hiding exes as ‘safe’ pdfs a little way off.

Anti-virus appears to interpret the file name correctly too, so this isn’t the perfect workaround it could be. We’re still trying to work out a way to use this to our advantage.