Maiar is a digital crypto wallet and global payments app that allows users to exchange and securely store money on their mobile phones. People can use Maiar to send and receive money near-instantly, to and from anyone around the world by just using a phone number or herotag.
The Maiar team launched an app notification warning reminding users that the app will never request account validation through text messages.
The SMiShing attacks
Being a Maiar user, I personally received two different text messages, which at a closer look were clearly phishy. They followed all the classical phishing recipes:
- Create a false sense of urgency
- Use a fake link
- Unexpected message content
Let’s look at the text messages more carefully.
This one is the easiest to spot. Being their first attempt, I guess the bad actors were not very determined. They tried the classical way of tricking users with a fake website: maiarapp.net. Even though it seemed questionable from the get-go, I wanted to confirm my suspicions by looking for the official Maiar website, on the brand new and secure Brave search.
It turned out that I was right to be doubtful, as the official Maiar website is https://maiar.com, not https://maiarapp.net.
SMiShing #2 – Punycode attack
This text message looks quite authentic, right? Something bad happened to my Maiar account and I need to verify it as soon as possible. The link looks right, it points to maiar.com, the official website. Oh, if we look closely, the second “a” in the domain name is not really an “a”. It’s an “a” letter, but with a dot bellow “ạ” – a Vietnamese character.
This is what security researchers call a Punycode attack. These types of attacks use characters from extended alphabets to mimic real-life web addresses. It all started with using numbers instead of letters (remember micr0soft.com ?), but now, bad actors are using the huge character set of Unicode to trick users. And it’s working!
Unicode characters can look the same to the naked eye but domains written with these letters point to different web addresses. Some letters in the Roman alphabet, which are used by the majority of modern browsers and languages, are of similar shapes to letters in Greek, Cyrillic, and other alphabets, so it’s easy for an attacker to create a domain name that replaces some ASCII characters with Unicode characters.
For example, if you swap a normal “T” for the Greek letter Tau: “τ”, the user would see the almost identical “T” symbol but the Punycode behind this, read by the computer, is actually xn--5xa. Which would indeed point to a different web address.
There is a Punycode converter which makes this easy as pie. Try it out for yourself here https://www.punycoder.com. I know, there’s a website for everything.
I hoped to analyse the websites as well. Unfortunately for me, (but happily for everyone else) at the time I was writing this post, the websites have been taken down.
This is a great example of how bad actors attack people indiscriminately and how good people can take the bait and find themselves with an empty wallet.
It’s important to remember a few things.
- Whenever faced with unexpected messages, learn to keep emotions aside. Bad actors pray on panic and fear to make you do bad decisions.
- Once you’re calm, check the contents of the message. Are the links fake? If you’re not sure, do a web search for the official website and compare the two.
- If you end up on the linked website, be very suspicious of any minor change, glitch or bug. These are strong indicators that the site is fake, a copy of the original one.
- As a rule of thumb, you should never click on links you receive in unexpected messages. It’s better to take the time and type the website in the address bar.
I leave you with a though: What would have happened if you had clicked and logged in the fake Maiar website?
Thanks for reading. Stay safe!