Lately, I kept receiving the following message from contacts on my business WhatsApp number:
Hello, Singapore Airline is giving away 2 Free FirstClass Tickets to celebrate 45th anniversary, Now you can get your tickets too ! go here to get it: http://www.singaporeaır.com/firstclass Enjoy your flight!.
It is surprising how careless people can be when forwarding such messages around. There are a few things in the message above that clues one in on its authenticity:
- The English. Singapore Airlines was spelled without an “s” at the back, Inconsistent and unnecessary capitalisation of letters, inappropriate spaces and punctuation.
- The hyperlink might appear to be singaporeair.com but if you take a closer look, you will notice that there’s something wrong with the letter “i” in the word “air”. We’ll elaborate below.
So what happened to the dot in the “i”? Turns out that the letter is actually:
ı
The letter i without a dot above.
Source: Wikipedia
This is a visual trick used by people with malicious intention to lower the guard of people who have learned to be suspicious of obviously dubious URLs. These people will go “Hey the URL looks legit” and proceeds to click on it.
By the time I found some time to write this post, the site has been taken down. However, I still want to explain more about the web technologies used to bait people to the site.
How did the scammer do it?
Scammers have been using internationalized domain names (IDN) to create resemblance to leigitimate domain names for some time now. But because DNS servers cannot handle the unicode characters of IDNs, Punycode is used to convert the unicode back to ASCII characters. For the above domain, www.singaporeaır.com actually converts to www.xn--singaporear-8zb.com. And if you were you look up the domain name, it claims to be registered in the Bahamas:
Domain Name: XN–SINGAPOREAR-8ZB.COM
Registry Domain ID: 2182998491_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internetbs.net
Updated Date: 2017-11-04T05:16:54Z
Creation Date: 2017-11-04T04:45:22Z
Registrar Registration Expiration Date: 2018-11-04T04:45:22Z
Registrar: Internet Domain Service BS Corp.
Registrar IANA ID: 2487
Registrar Abuse Contact Email: abuse@internet.bs
Registrar Abuse Contact Phone: +1.5167401179
Reseller:
Domain Status: clientTransferProhibited – http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Admin
Registrant Organization: Whois Privacy Corp.
Registrant Street: Ocean Centre, Montagu Foreshore, East Bay Street
Registrant City: Nassau
Registrant State/Province: New Providence
Registrant Postal Code:
Registrant Country: BS
Registrant Phone: +1.5163872248
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: xn--singaporear-8zb.com-owner-ysp5@customers.whoisprivacycorp.com
Registry Admin ID:
Admin Name: Domain Admin
Admin Organization: Whois Privacy Corp.
Admin Street: Ocean Centre, Montagu Foreshore, East Bay Street
Admin City: Nassau
Admin State/Province: New Providence
Admin Postal Code:
Admin Country: BS
Admin Phone: +1.5163872248
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: xn--singaporear-8zb.com-admin-85n9@customers.whoisprivacycorp.com
Registry Tech ID:
Tech Name: Domain Admin
Tech Organization: Whois Privacy Corp.
Tech Street: Ocean Centre, Montagu Foreshore, East Bay Street
Tech City: Nassau
Tech State/Province: New Providence
Tech Postal Code:
Tech Country: BS
Tech Phone: +1.5163872248
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: xn--singaporear-8zb.com-tech-qfid@customers.whoisprivacycorp.com
Name Server: ns-canada.topdns.com
Name Server: ns-uk.topdns.com
Name Server: ns-usa.topdns.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-11-07T06:47:31Z <<<
Registrar: Internet Domain Service BS Corp
Whois Server: whois.internet.bs
Creation Date: 2017-11-04T04:45:22Z
Updated Date: 2017-11-04T05:16:54Z
Expiration Date: 2018-11-04T04:45:22Z
Nameserver: NS-CANADA.TOPDNS.COM
Nameserver: NS-UK.TOPDNS.COM
Nameserver: NS-USA.TOPDNS.COM
The profile of the registrant has been anonymised as part of a value-added service provided by the registrar but even then, we should take the above information with a pinch of salt. One important point to note is that the domain was only registered 3 days ago and we don’t know what else this person plans to do.
Be very careful even if the link was sent by someone you know
Whatever you do, please be very careful even when friends forward links to you via WhatsApp, Facebook or any other platform. There are two main possible scenarios:
- Your friend/contact knowingly forwarded the link to you but didn’t know that the link is fake
- Your friend/contact’s device sent the link to everyone in the contact list without his/her knowledge. This can happen to a compromised device.
Do your friend/contact a favour and alert him/her about the link instead of just clicking on it. Together, we can foil the plans of these scammers.