Microsoft heads to court to take on imposter, homoglyph domains

Microsoft has turned to the court system to take down domains designed to impersonate the firm in phishing attacks.

On Monday, Microsoft's Digital Crimes Unit (DCU) said a judge in the Eastern District of Virginia issued a court order that requires domain registrars to disable websites "used to impersonate Microsoft customers and commit fraud."

The complaint (.PDF), filed to pursue a preliminary injunction and restraining order, has been issued against "John Does," terminology used to describe anonymous or unknown plaintiffs facing legal action. 

According to the DCU, Microsoft filed the case to try and clamp down on imposter domains, also known as homoglyph-based web addresses. 

In homoglyph attacks, fraudsters will use similar words, phrases, letters, numbers, or symbols to masquerade as a legitimate organization, whether this is Microsoft, Google, Facebook, PayPal, or other well-known brands. 

Attackers may send phishing emails, SMS messages, or social media notes containing links to an imposter domain that asks for account credentials or which may deploy exploit kits. If visitors fail to notice the small differences in a domain that reveal it is not a trusted source, they may be more likely to become a victim.   

When it comes to Microsoft, homoglyph domain examples include switching "o" for a zero -- such as "micr0soft.com," or using a lowercase "l" instead of an "i" in "mlcrosoft.com."

"We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks," the company said.

The court case stemmed from a customer who complained about a Microsoft-related BEC scam, resulting in the discovery of at least 17 imposter domains being used to siphon account credentials. 

In this case, the attackers leveraged a legitimate email sent from a compromised Office 365 customer account asking a business for advice on processing payments. The group then sent a malicious email containing a link to a homoglyph domain, urging payment to be made as quickly as possible -- but, of course, the account details for a "subsidiary account" belonged to the criminals. 

Microsoft says that the attackers behind the BEC scam, who appear to originate from Africa, tend to target small businesses across the US.

After using a malicious domain to grab employee credentials, the scam artists may infiltrate networks and then impersonate vendors, other members of staff, or customers to try and dupe the victim company into approving fraudulent payments and fake invoices. 

Microsoft hopes that the court order will further disrupt the owners of the malicious domains and will prevent them from easily shifting their infrastructure to other third-party services. 

The complaint follows 23 cases brought forward by the Redmon giant since 2010. Other legal actions include complaints against malware operators and state-sponsored hacking groups. 

Previous and related coverage

• Microsoft just blew up the only reason you can't use a Linux desktop
  
• UK and White House blame China for Microsoft Exchange Server hack
  
• Microsoft Teams can now turn your phone into a Walkie Talkie
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0