BiDi Swap: How Attackers Exploit Bidirectional Text to Create Convincing Fake URLs

Attackers are exploiting bidirectional text in URLs to create convincing fake URLs, reviving a decade-old browser vulnerability that now fuels new phishing techniques. Varonis has uncovered the "BiDi Swap" technique, which uses Unicode control characters to reverse the order of characters in a URL, tricking users into believing they are visiting a legitimate site. Bidirectional text is a feature in Unicode that allows text to be displayed in different directions, such as left-to-right for English and right-to-left for languages like Arabic or Hebrew. By manipulating the direction of text in a URL, attackers can make a malicious URL appear as a trusted domain. For example, a URL like "https://www.evil.com" could be manipulated to look like "https://www.live.com" by reversing certain parts of the text. This technique significantly increases the risk of phishing attacks, as users may not realize they are visiting a malicious site. The impact on the cybersecurity landscape is substantial, as this method can bypass traditional defenses against phishing, such as users checking the URL before clicking. Organizations must stay vigilant and update their defenses to protect against this evolving threat. Cybersecurity professionals should educate users about the risks, implement technical controls to detect or block such URLs, and work with browser vendors to mitigate the vulnerability. This resurgence of a decade-old vulnerability highlights the importance of remaining aware of old issues that can be exploited in new ways.

The BiDi Swap technique leverages Unicode control characters, specifically the Right-to-Left Override (RLO) character (U+202E) and other bidirectional control characters, to manipulate the visual representation of URLs. When these control characters are inserted into a URL, they can reverse the order of the characters that follow, making a malicious URL appear legitimate. For instance, the URL "https://www.evil.com" could be transformed to display as "https://www.live.com" by inserting the RLO character before the "evil" part of the domain. This manipulation can be particularly effective because the actual URL, when hovered over or copied, may still reveal the malicious domain, but the visual representation in the browser's address bar or in hyperlinks can be deceptive.

The implications for cybersecurity are significant. Phishing attacks are already a major threat, and this technique makes them even more dangerous by making it harder for users to identify malicious URLs. Traditional advice to users, such as "always check the URL before clicking," becomes less effective when the URL can be visually manipulated. This technique can also bypass some email and web filters that rely on URL reputation or pattern matching, as the actual URL may not match known malicious patterns until it's too late.

To defend against this threat, organizations should consider implementing several measures. First, user education is crucial. Users should be trained to carefully inspect URLs, especially when they appear in emails or on web pages. They should be advised to hover over links to see the actual URL before clicking and to look for any unusual characters or patterns. Second, technical controls can be implemented to detect and block URLs that contain bidirectional control characters. Web filters and email security solutions can be configured to flag or block URLs that exhibit suspicious patterns. Third, organizations should work with browser vendors to ensure that bidirectional text manipulation is addressed at the browser level. Some browsers may already have protections against this type of attack, but it's important to stay updated on the latest developments and patches.

In conclusion, the BiDi Swap technique is a sophisticated method for creating convincing fake URLs that can bypass traditional defenses against phishing. Cybersecurity professionals must be aware of this threat and take proactive steps to protect their organizations. By combining user education, technical controls, and collaboration with browser vendors, organizations can mitigate the risks posed by this emerging threat.