Can you see why this WhatsApp message can’t be trusted?

Security News ThreatsCybercrime Uncategorized

Can you see why this URL can't be trusted?

Take a look at the above message that WhatsApp users have reported being sent to them via the messaging app. It claims that there is a free £250 voucher up for grabs which you can use to buy your groceries at an ASDA supermarket. Other versions claim that similar vouchers are available for Tesco and Marks & Spencer.

But can you see why you should be wary of clicking?

Well, not only does it sound too good to be true, but take a closer look at that URL the message says you should click on.

Fake asda

Do you see the little mark above the “d” in “Asda”? It’s not a speck of dirt on your smartphone’s screen.

The “d” in the URL is in fact a “đ” (also known as a crossed d, or a d-stroke.

That’s easy enough to tell when you see the image blown up on your desktop computer screen, but it’s a lot harder to spot when it appears in a WhatsApp message on your smartphone.

The character đ (Unicode U+0111) may not be used in English, but it is used in several other languages – and it turns out that technology’s ability to support a wide variety of languages comes at a cost.

What you’re seeing here is called a homograph attack, which exploits the fact that many different characters look alike. It’s a technique that has made it trivial for internet attackers to exploit near-identical looking characters to dupe unsuspecting users into clicking on dangerous links.

Phishers, for instance, love to use the trick to dupe you into thinking you are entering your credentials into your bank’s legitimate website

The latest spate of messages seen being spread on WhatsApp, as reported by The Mirror and Action Fraud, are not unique attacks, but are worth bearing in mind, when you receive suspicious messages via WhatsApp, SMS, Facebook Messenger, and so on.

Take care out there.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.

Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

Follow @gcluley