Researchers from Malwarebytes Labs have uncovered a clever malvertising attack that promotes malicious software through the Google Advertising Network of the Free Password Manager Keepass. The attackers used a domain, “ķeepass.info”, that closely resembles the official domain of the Keepass project, “keepass.info”. When searching for the keyword “Keepass” on Google, an advertisement for the dummy site appeared at the top of the search results, before the link to the official site.
The scammers utilized a well-known phishing technique that involves using internationalized domains (idn) containing omoglyphs – symbols that closely resemble Latin letters but have different meanings and their own Unicode codes. The registered domain “ķeepass.info” is actually registered as “xn—eepass-vbb.info” in PunycoDe-renewal. To most users, the name displayed in the address bar appears as a legitimate domain. Furthermore, the attackers strengthened the illusion of credibility by hosting the dummy site on HTTPS with a valid TLS certificate obtained for the internationalized domain.
In order to prevent abuses, registries do not allow the registration of IDN domains that mix symbols from different alphabets. For example, a domain like “Apple.com” (“XN–PLE-43D.com”) cannot be created by substituting the Latin “A” (U+0061) with the Cyrillic “A” (U+0430). Mixing Latin and Unicode symbols in a domain name is also generally blocked. However, there is an exception to this restriction that the attackers exploited – mixing Unicode symbols from the Latin symbol group belonging to the same alphabet. In this attack, they used the letter “