Confundo - abusing Unicode for fun and phishing


#1

Yo, found this script recently: https://github.com/Tompazi/confundo

What this script does is it replaces letters with similar looking Unicode glyphs. So you feed it a string, and it outputs several strings that look the same, yet use different characters.

An example that comes to mind: If your target is using a chat program that allows Unicode in user names, you might be able to impersonate an admin, some relative or a friend, and try to talk them into giving up info you’re after.


([email protected] [email protected]) #2

Nice! I can already see myself using this, honestly.


(The C# Dude) #3

Ever wondered why so many sites don’t allow Unicode to be used in usernames? Yep, that’s the reason…

// Edit: A simple online converter: Homoglyph Attack

One example: Joe_Schmoe --> Jοe_Schmoe

Could you spot the difference?

Proof (SHA-256):

Original: bb1c1ec26ebae7df700719461ce0a0bc5aac1aac2fa11cc0a345c9512776e13c
Fake: 650c21d8405085c8e6f0469ed5c4e770ad50e0cb4231f603693b631fe8be3d7b


(Command-Line Ninja) #4

This looks solid. I’m curious to know if this works on this site?


(The C# Dude) #5

Nope. When I tried to register pry0сс (Yes, that’s already the fake version; no chance to identify it :wink:), it said only numbers, letters and underscores are allowed…


(Not a N00b, but still learning) #6

Interesting website, but it doesn’t seem to work for me. It only gives out the original one. Already tried it on the 0x00sec registration form and it says ‘username already taken’. Must be doing something wrong… :confused:


(The C# Dude) #7

1.) Type in the text box the original username
2.) Now you can choose different characters (Radio buttons) for the letters (Focus on 'o’s; they can easily be changed :wink:)
3.) Copy the fake username at the bottom

Should work :slight_smile:. Maybe you’ve forgot to change some of the letters before copying?


(Not a N00b, but still learning) #8

Thanks for your advise. It seems that I was really too stupid to customize the options :joy: However, it also seems that my browser auto-corrects some of the characters in a url. I can see it being useful with usernames and such :slight_smile:


#9

I’m not that knowledgeable about this but it would be interesting to test which sites allow such “badly formatted” usernames for registration.
Is there an easy way to see who filters such stuff right away? Seems like some browsers already do it ? ( from what I read from @SmartOne )