IBM Security QRadar

 View Only

Homoglyph detection with QRadar

By Gladys Koskas posted Mon January 31, 2022 04:09 PM


Hey guys !

Are you done dealing with all the emails that piled up during the holidays and back to normal ? Ready to learn about cool stuff you can implement ?
Today I am here to tell you about the HOMOGLYPH function that is included in the Threat Monitoring Content Extension !

What is a homoglyph?

A homoglyph is a character or a grapheme with a shape that appears identical to another one

We're used to deal with some of them everyday, with the letter "O" and the number "0", the lower case "l" and upper case "I" as an example, and it doesn't hide anything malicious most of the time (although it can be very annoying when you're trying to connect to your friend's wifi).
But "most of the time" means that sometimes, it can be used by malicious actors to fool users and get them to click on links they wouldn't have followed normally... The difficulty level to generate homoglyphs is easy and can even be done online, so this practice is very common in phishing attacks.

The list of examples is actually really long and I will show you a few unexpected ones right now (I mean it when I say unexpected !):

Can you spot the character that I switched here ʔ
I assurе yⲟu thеrе is anⲟthеr ⲟnе ⲟn this linе․
This is the last ехаmрᛁе I promise :)

You can check this list for reference:

Don't read what is below if you still want to guess where I messed up !

  1. In the first sentence I changed the question mark.
  2. In the second example, you might have found that I played with the o, have you caught the six e that changed too ?
  3. Do you believe only the m or l has been switched in the last one? It is actually the entire word "example" that has been changed.
    This one is so resembling that I doubted myself and did a copy/paste of the word in google to verify that I actually included the right one in the blog! 

How to detect homoglyphs ?

There are so many combinations and it is so difficult to spot them, that we developed the HOMOGLYPH function for you to use in your searches and rules !
It is really straight forward, simply select the property you want to scan and choose if you want to return results with homoglyphs with TRUE or FALSE.

The example below shows results on a Bluecoat device when the URL Host contains homoglyphs:

The function is pre-filled with 1792 entries from A-Z (lower and uppercase) and 0-9 excluding Latin, and works on both events and flows.

Now the only thing left to do is to enable detection in real time
The Threat Monitoring Content Extension includes two rules using this function, one for events, the other for flows.

You'll notice that the rules are disabled by default, this is simply due to the long list of characters that is included in the function and the fact that some countries in your company might be regularly using Greek, Hebrew or Cyrillic as an example.
In this case, it might be useful to add conditions in the rule and exclude specific characters, networks or log sources to avoid false positives. Omega has been included by default as an example.

As I mentioned at the beginning, the use of homoglyphs is very common in phishing attacks, so I am also linking our IBM QRadar Phishing and Email Content Extension in case you are interested.

Don't forget to check out for our custom properties sets for mail and proxy devices.

I hope this will help you catch more hidden threats, as usual feel free to share any idea go to even further, we'll do our best to implement it.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.