Threat actors are known for impersonating popular brands in order to trick users. In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. We previously reported on how brand impersonations are a common occurrence these days due to a feature known as tracking templates, but this attack used an additional layer of deception.
The malicious actors registered a copycat internationalized domain name that uses Punycode, a special character encoding, to masquerade as the real KeePass site. The difference between the two sites is visually so subtle it will undoubtably fool many people.
We have reported this incident to Google but would like to warn users that the ad is still currently running.
Ad blockers are security tools. This proves it once again.
My native language uses a non-Latin alphabet (Greek) and yet I hate Punycode URLs. No Greek websites use it, because if they did users would have to alt-shift two times to type the domain name and administrators would need to register two domain names (one for Greeks and one for non-Greeks). It’s a solution looking for a problem to solve that creates security issues. Make it die.
Wow. So many failed security checks.