{"id":23254,"date":"2023-10-30T16:10:02","date_gmt":"2023-10-31T00:10:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16984\/"},"modified":"2023-10-30T16:10:02","modified_gmt":"2023-10-31T00:10:02","slug":"news-16984","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16984\/","title":{"rendered":"Clever malvertising attack uses Punycode to look like KeePass’s official website"},"content":{"rendered":"\n

Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. We previously reported<\/a> on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception.<\/p>\n

The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people.<\/p>\n

We have reported this incident to Google but would like to warn users that the ad is still currently running.<\/p>\n

Malicious ad for KeePass<\/h2>\n

The malicious advert shows up when you perform a Google search for ‘keepass’, the popular open-source password manager. The ad is extremely deceiving as it features the official Keepass logo, URL and is featured before the organic search result for the legitimate website.<\/p>\n

By simply looking at the ad, you would have no idea that it is malicious. <\/p>\n

\"\"<\/figure>\n

Figure 1: Malicious ad for KeePass followed by legitimate organic search result<\/em><\/p>\n

People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim. The threat actors have set up a temporary domain at keepasstacking[.]site that performs the conditional redirect to the final destination:<\/p>\n

\"\"<\/figure>\n

Figure 2: Network traffic showing the sequence of redirects upon clicking the ad<\/em><\/p>\n

\u0137eepass.info<\/h2>\n

Looking at the network traffic log above, we can see that the destination site uses Punycode, a special encoding to convert Unicode characters to ASCII. The deception is complete for users who may want to verify that they are on the right website.<\/p>\n

\"\"<\/figure>\n

Figure 3: The fake KeePass site with a barely noticeable different font<\/em><\/p>\n

While it is barely noticeable, there is a small character under the ‘k’. We can confirm it by converting<\/a> the internationalized domain name xn--eepass-vbb[.]info<\/em> to \u0137eepass[.]info<\/em>:<\/p>\n

\"\"<\/figure>\n

Figure 4: Converting Punycode to ASCII<\/em><\/p>\n