Most of you may be familiar with zero-day attacks when security teams are unaware of their software vulnerability, and they've had “0” days to work on a security patch or an update to fix the issue. The use of zero-width space (ZWSP) characters in phishing attacks has been observed in recent years.

Zero-Width Space is the use of secret characters to hide messages in URLs or documents. It's also a form of steganography but mainly for text. ZWSP are hidden non-printable characters. Email messages or URLs containing these non-printable malicious characters are omitted from the alert list. Characters, alphabets and numbers use Unicode for encoding texts on browsers. ZWSP takes advantage of the fact that Unicode is to support all languages spoken in the world.

By using characters in other languages other than English ZWSP are created. One particularly used by malicious actors is a character that takes advantage of no spaces when displayed. they use binary characters to represent any text and combine it with normal text.

It is not visible to the naked eye but can be included in text strings. In a phishing context, attackers may utilize ZWSP characters to deceive users and make malicious links or URLs appear legitimate. Hackers insert a zero-width space (‌‌‌&#8204) in the middle of a malicious URL or an email's RAW HTML. Due to the URL being broken up by so many special characters, domain reputation checks and Safe links were not able to identify the URL for what it was.

Here's an example to illustrate how it can be used:

Let's say there is a legitimate website with the URL "example.com". An attacker could create a phishing link that looks similar but Zero-Width space (‌‌‌‌&#8204)is added to the malicious URL to obfuscate it.

How the URL looks to users: https://example.com/

In the above example, there are ZWSP characters placed between each letter of the URL, making it visually appear identical to "example.com". However, if a user copies and pastes the link, they will unknowingly include the ZWSP characters, resulting in a different URL that leads to a phishing site.

This technique aims to trick users into believing they are visiting a legitimate website when, in reality, they are being directed to a malicious one. It exploits the fact that most users rely on visual inspection rather than analyzing the actual characters present in a URL.

Preventive measures

To protect yourself from such attacks, it is important to exercise caution when clicking on links, especially those received via emails, messages, or other untrusted sources.

• Modern web browsers often have built-in security features that can help detect and warn you about potential phishing attempts. Keep these features enabled and up to date.

• Before clicking on a link, hover your mouse cursor over it to view the actual URL. Pay attention to the status bar or tooltip that appears, as it may reveal the full URL, including any hidden characters.

• Stay updated on the latest phishing techniques and security practices. Regularly educate yourself and your organization about phishing risks and prevention measures.

• Scrutinize URLs for any irregularities or inconsistencies, such as misspellings or additional characters. Be particularly cautious when providing sensitive information on websites.

• Instead of clicking on links, manually type the website address in your browser. This reduces the risk of hidden characters being present.

Remember, vigilance and skepticism are key when it comes to online security. If you encounter a suspicious email or website, report it to the appropriate authorities or the organization being impersonated so they can take appropriate action.