Security researchers have detected a number of phishing sites hosted on emoji domains.
According to a blog post by researchers at Phishlabs, all detected sites have a few things in common. First, they are hosted on the .WS Top Level Domain (TLD). Second, the use domains with numerous subdomains (also emojis), and last, they make use of redirects to avoid detection.
Olivia Vining, senior cyber threat intelligence analyst at Phishlabs, said that over the past few years, a small number of TLDs such as .WS, .FM and .TO have started supporting the use of emoji domains. These domains are created using punycode, which is then translated by browsers (at least some of them) to display emoji domains.
"Unfortunately, phishers have found an alternative and less innocent use for emoji domains: to pique the interest of would-be victims, and induce them to visit malicious phishing sites," she said.
She said that analysts at Phishlabs are currently investigating active phishing campaigns making use of emoji domains.
"Right now, this tactic is just that — A new technique being tested by phishers to see whether it will increase the efficacy of their campaigns. Just like emoji domains themselves, it’s difficult to know whether emoji phish will become an established trend, or die out altogether," said Vining.
She added that while her team couldn’t be certain as to the purpose of the emoji phishing sites observed, analysts suspect they are intended to be accompanied by SMS lures.
"Again, while it’s only conjecture at this point, it seems likely that an SMS-based emoji phishing campaign could see some success, particularly with younger smartphone users," she said.
Vining said that at the moment, it’s worth viewing emoji domains with some cynicism. "When in doubt, go for the traditional URL (if available) or avoid them altogether."
Maor Hizkiev, co-founder and CTO of BitDam, told SC Media UK that emoji domains are just another trick in attacker’s handbook, like enclosing an attachment with the name "Invoice" or mimicking a mail to look like it was sent by "Netflix", aimed to lure the victim to click on the link.
"Organisations should add this use case to the phishing training done by the employees and adopt an advanced threat solution that can handle this type of attack," he said.
Jay Allen, director of Technical Alliances at Wandera, told SC Media UK that CISOs should be mindful of the speed at which attacks like these are created and how the nature of the attacks evolves to target users and trends.
"Education is only one part of the solution here, and the use of a mobile security solution should form part of the overall strategy. Such solutions identify and detect suspicious and even malicious URLs used in phishing attacks," he said.