Disneyland Malware Team: It’s a Puny World After All

[Condobloke]

Disneyland Malware Team: It’s a Puny World After All – Krebs on Security

November 16, 2022


A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.

The Disneyland Team uses common misspellings for top bank brands in its domains. For example, one domain the gang has used since March 2022 is ushank[.]com — which was created to phish U.S. Bank customers.

But this group also usually makes use of Punycode to make their phony bank domains look more legit. The U.S. financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team’s domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com.

Look carefully, and you’ll notice small dots beneath the “a” and the second “e”. You could be forgiven if you mistook one or both of those dots for a spec of dust on your computer screen or mobile device.

etc

Disneyland Malware Team: It’s a Puny World After All – Krebs on Security

 

[KGIII]

I 'member when they enabled this in domain names and how many of us figured it was not going to end well. It'd be really easy to make a fake PayPal domain that looked good in the browser.

It just reinforces what I always recommend:

If it's even remotely important, don't click links in email. When possible, go to the site manually before entering your username and password.

Now, I still click all sorts of links in email - but they're not important things. I don't click links to my credit union or banks. I'll happily click a linux.org link, but I'm always logged in here. I'd notice that I wasn't logged in and would start looking around carefully, mostly 'cause I'd be curious about phishing me with a linüx.org domain.