The Danger of Capital Letters or the "Always Working" Phishing Scheme

---

This chapter will be one of the simplest and shortest in the course, and many will say after reading it that it is obvious. Maybe it is obvious, but the described technique is actively used and works effectively.

Before you is the site WWW.PANlCBUTTON.PW, you know it well. But in reality, this is not the link you see. The fact is that in the Latin alphabet, the capital letter I and the lowercase L look almost identical; in this link, a lowercase L is used instead of a capital I.

As a rule, popular sites that include I in their domain name register the variant with L and redirect from it to the main domain. However, smaller sites often neglect this, which gives real gifts to attackers.

Fraudsters register variants of the site with L and use them for phishing, with the domain name always written in capital letters. We have already discussed the purpose of link substitution in this chapter.

Of course, in the browser's address bar, capital letters are converted to lowercase, and everything does not look as nice, but, firstly, not many check the address bar after opening a link, especially if it is a long link, and secondly, when the attack is aimed at collecting data about the victim, opening the link is the main task of the attacker.

This scheme is actively used by fraudsters in Telegram as well. It works like this: @service and @SERVlCE – visually, these two Telegram IDs are identical; one is written in lowercase letters, the other in uppercase, but, as you might guess, in the second case, letter substitution is used. This is a favorite trick of scammers in Telegram, and it works great.

After reading this chapter, you should remember one simple thought: if you receive a link to a site whose address is written in capital letters, it may be a trap; if a Telegram ID is written in capital letters, it may be a scammer's account. Be careful.