Cyber Criminals Up to New Tricks: Hidden Executables, 'Typosquatting'


I'd like to think that, as a group, computer users are getting much smarter about how the bad guys try to lure us into downloading malware or into giving up personal information. I think the majority of enterprise users know not to click on unfamiliar links and are questioning phishing schemes. Of course, this is why the bad guys have to get sneakier.


A couple of security vendors recently discovered how hackers are purposely misusing language to trick users.


First, Avast Software discovered an exploit they call "Unitrix" - malware that misuses a special language-display feature to trick people into opening supposedly "safe" files. As a Computerworld article explained it:

Slide Show

The Cost of Cybercrime

Cyber attacks continue to occur frequently and result in serious financial consequences for businesses and government institutions.

Unicode is the computer industry standard for representing text with alpha-numeric codes. Unitrix abuses Unicode for right-to-left languages -- such as Arabic or Hebrew -- to mask Windows executable files (.exe) as innocuous graphic images (.jpg) or Word documents (.doc).

As Jindrich Kubec, head of the Avast Virus Lab explained, the typical user tends to look at the extension at the end of the file name. With the .exe hidden in the file, the user doesn't realize he's clicked on an executable file until after it's too late.


M86 Security Labs also found bad guys purposely exploiting the bad spellers and typists among us. In what is called "typosquatting," the cyber criminals purposely register domain names using commonly misspelled versions of popular websites, like YouTube. This isn't really new -- I remember many years ago when Bill Clinton was in the White House, I accidentally typed in Whitehouse.com when I meant to type Whitehouse.gov and ended up at a porn site. (It took me a second to realize that I made a mistake and that the president was not in hot water over alleged affairs again.) But bad guys are taking advantage of the problem to scam people who think they are going to the right website. Showing examples of what a particular typosquatting site looks like, M86's website explained:

You can clearly see how the people behind this typosquatting scam take advantage of an organization's strong visual brand to trick unsuspecting users in parting with their personal information. In this case, by imitating YouTube's look and feel, the scamsters piggyback on that brand's trust to make the "rewards" seem genuine.

So, while we may have gotten smarter about what we click on, the hackers are taking advantage of our general laziness over what we type into the browser's address bar. A few extra seconds to double check what we're doing could save a lot of time, trouble and money down the road.