Plagiarism: the difference between "wallet" and "wallet"

[LoyceV]

While processing Bounty Content applications, I stumbled upon something I haven't seen before. I can't really figure out how it's done, but it turns out there's a difference between "wallet" (11,000 hits on Google) and "wallet" (127,000,000 hits on Google)! Click CTRL-F and try to search for one of the two words on this page.

My initial plan was to bust the few cheaters, but this turns out to be much larger than just a few. So, I throw this in here for community help!

First: how is this done? Is there some software that replaces ascii characters by something that looks like it, but can't be found through copy/paste?
(this question has been answered, now let's focus on busting the cheaters!)

Second: I think "wallet" is just the tip of the iceberg, but it's the only word I've checked so far. When I Google "wallet site:bitcointalk.org -imode", it gives me 66 hits.

The first hit came from SandraSN:

all coins have their own wallet just check their site. It's better to store your coins on a hard wallet like trezor or paper wallet.

To find the original, I had to manually type a part of the post into Google. This post is a copy of:

It's better to store your coins on a hard wallet like trezor or paper wallet. All coins have their own wallet just check their site.

Note how the order of the two sentences was reversed. But worst of all, if you select any small part of either of those two posts and try to Find it on this page, your only hit will be the post you selected.
Mods: please ban SandraSN. (still at large)

The second hit is SergiOLa, who posted:

You can send eTH from any ethereum wallet type excluding an exchange wallet. You can use any wallet manager because they all use the same underlying ethereum hardware where your actual wallet is located. Do not use exchanges wallets.

Which is a copy of:

You can send ETH from any Ethereum wallet type excluding an exchange wallet. You can use any wallet manager because they all use the same underlying Ethereum hardware where your actual wallet is located. Do not use exchanges wallets.

Mods: please ban SergiOLa. Banned!

The third hit is from Kamelia, who copied:

I also don't use bitcoin and ethereum for transactions. Sometimes the transaction is more expensive than the transfer amount. I use ripple and doge for transactions. These transactions are fast and cheap. They "fly" between exchanges and from the wallet to the wallet.

From:

I also don't use bitcoin and ethereum for transactions. Sometimes the transaction is more expensive than the transfer amount. I use ripple and doge for transactions. These transactions are fast and cheap. They "fly" between exchanges and from the wallet to the wallet.

Mods: please ban Kamelia. Banned!

I've only checked three of the 66 "wallet"-links on Google, and so far it was 100% plagiarism. It's a lot of work to document this way, so I'll leave it at this as a "proof of concept".
If you check the post history of any of those people, you'll find much more words to search for. If they don't pop up when you hit CTRL-F and manually type the word, it's very likely to be plagiarism. For example, searching for the word "exchange" gives 70 hits.

Update: this makes it easier to spot: my old xterm doesn't support the characters, posts look like this when I copy them:

[bitperson]

In ‘wallet’, the second character is a cyrillic ‘a’ and the fifth a cyrillic ‘ie’, encoded in Unicode. This kind of scam is known as a homograph attack. You can find all characters using normal search as long as you’re searching for those exact characters.

[Jet Cash]

It's the frst letter e that is different

[pugman]

In ‘wallet’, the second character is a cyrillic ‘a’ and the fifth a cyrillic ‘ie’, encoded in Unicode. This kind of scam is known as a homograph attack. You can find all characters using normal search as long as you’re searching for those exact characters.

If this is really a thing,phising sites would only become more complicated to identify in the future. LoyceV,that is very much surprising what you have found.

[LoyceV]

If this is really a thing,phising sites would only become more complicated to identify in the future.

A quick check for the first domain registrar shows that it won't work.

@up, Browsers now showing cyrilic charactes as xn--(digit), but in the past it was able to make indentical copy of domain with these characters.

Testing wallet.com brings me to http://www.xn--wllt-53d6a.com/ indeed (which doesn't exist). Note that I really typed this:

Code:

[url=www.wallet.com]wallet.com[/url] 

My browser changes it already. Nice catch!

[FL4RE]

This trick was used by students to cheat the plagiarism system in master's theses.
@up, Browsers now showing cyrilic charactes as xn--(digit), but in the past it was able to make indentical copy of domain with these characters.

[bitperson]

In ‘wallet’, the second character is a cyrillic ‘a’ and the fifth a cyrillic ‘ie’, encoded in Unicode. This kind of scam is known as a homograph attack. You can find all characters using normal search as long as you’re searching for those exact characters.

If this is really a thing,phising sites would only become more complicated to identify in the future.

It has been a thing for 10+ years https://en.m.wikipedia.org/wiki/IDN_homograph_attack

[nullius]

While processing Bounty Content applications, I stumbled upon something I haven't seen before. I can't really figure out how it's done, but it turns out there's a difference between "wallet" (11,000 hits on Google) and "wallet" (127,000,000 hits on Google)!

You stumbled across a well-known security issue, which usually affects identifiers such as domain names.  E.g., paypal.com vs. paypal.com—see, the same difference!  Or the notorious whole-script confusable, appӏe.com (not the same as apple.com):

Code:

$ echo "apple.com" | hd
00000000  61 70 70 6c 65 2e 63 6f  6d 0a                    |apple.com.|
0000000a
$ echo "appӏe.com" | hd
00000000  d0 b0 d1 80 d1 80 d3 8f  d0 b5 2e 63 6f 6d 0a     |...........com.|
0000000f

First: how is this done? Is there some software that replaces ascii characters by something that looks like it, but can't be found through copy/paste?

Lookalike letters from different scripts such as Cyrillic and Greek are used in lieu of Latin letters.  In this case, U+0430 CYRILLIC LETTER A which UTF-8 encodes to { 0xd0, 0xb0 }:

Code:

$ echo "wallet" | hd
00000000  77 d0 b0 6c 6c d0 b5 74  0a                       |w..ll..t.|
00000009
$ echo "wallet" | hd
00000000  77 61 6c 6c 65 74 0a                              |wallet.|
00000007

Second: I think "wallet" is just the tip of the iceberg, but it's the only word I've checked so far. When I Google "wallet site:bitcointalk.org -imode", it gives me 66 hits.

Tip of the iceberg, indeed.

This exact issue has spawned a plethora of discussion in Unicode TR 39, Internet RFCs (see especially the RFCs related to IDN, among others), and vendor specifications—not to mention, mountains of blog arguments.  I will try to gather up some links for further information.  A quote from UTR #39 below should give a brief overview of the types of confusables.  I will try to answer questions insofar as I reasonably may.

If this is really a thing,phising sites would only become more complicated to identify in the future.

A quick check for the first domain registrar shows that it won't work.

Registries (not registrars) typically have policies about this.  For example, off the top of my head / if memory serves, in .de you can register domains containing äöü but not any other non-ASCII characters.  The purpose of such policies is to prevent this type of attack.


I think this should suffice for an overview:

https://www.unicode.org/reports/tr39/tr39-1.html#Confusable_Detection

...there are three main classes of confusable strings:

    X and Y are single-script confusables if they are confusable according to the Single-Script table, and each of them is a single script string according to Section 5. Mixed Script Detection. Examples: "so̷s" and "søs" in Latin.

    X and Y are mixed-script confusables if they are confusable according to the Mixed-Script table, and they are not single-script confusables. Example: "paypal" in Latin and "paypal" with the 'a' being in Cyrillic.

    X and Y are whole-script confusables if they are mixed-script confusables, and each of them is a single script string. Example: "scope" in Latin and "scope" in Cyrillic.

[jointherevolution]

This is interesting and horrifying at the same time. The more I learn, the less I understand the internet.

[LoyceV]

@Mods: thanks for banning 2 of them, but one was missed.

I tried registering "LoyceV" on this forum, but I get "Invalid character used in Username.". I'm glad this is covered.

[digaran]

Tomato or tomato, if this is only detectable with wallet. I don't know how many posts could we find other than a few? also, I would like to know what is the difference visually? do you know how many ways we could use something trickery like this? we could do something similar with transactions and fool the miners by showing them Bitcash and say it's really Bitcoin.

[LoyceV]

if this is only detectable with wallet. I don't know how many posts could we find other than a few?

These words, taken from Kamelia's quote in the OP, all show the same trickery:

also use and ethereum transactions
Sometimes the transaction more expensive than the transfer amount
use ripple and doge transactions
These transactions are fast and cheap
They between exchanges and the wallet

also, I would like to know what is the difference visually?

The whole point of this thread is that there isn't any visual difference.

do you know how many ways we could use something trickery like this? we could do something similar with transactions and fool the miners by showing them Bitcash and say it's really Bitcoin.

It's a visual trick, miners don't fall for that.

[botany]

-snip-

Loyce, that is brilliant. I don't mind putting in a little bit of additional effort in looking at those google hits. So here goes.

Account 1: SenseiSan

I spend a lot of time studying information, which appears very quickly and very quickly begins to spread across the network, because today all conditions are created for this, but it is necessary to shorten this time. approximately 6 hours per day

Copied from

I spend a lot of time studying information, which appears very quickly and very quickly begins to spread across the network, because today all conditions are created for this, but it is necessary to shorten this time. Approximately 6 hours per day

Account 2: LeonKG

I use MEW but the safest wallet is trezor hardware wallet your private can never be tampered with if you can afford buying tezor wallet it is actually worth buying because of tokens safety.

Copied from

I use MEW but the safest wallet is trezor hardware wallet your private can never be tampered with if you can afford buying tezor wallet it is actually worth buying because of tokens safety.

Account 3: Topotam

I was remember when I am new here in bitcoin I ask my friend what is the advisable altcoin wallet and he answered one of the trusted altcoin wallet is myetherwallet. In that point for me the best wallet  for altcoin myetherwallet its because myetherwallet is very easy to use, to stored eth token and the safe  altcoin wallet because you have the private key to unlock your wallet.

Copied from

You ask, what is best wallet for altcoin? I was remember when I am new here in bitcoin I ask my friend what is the advisable altcoin wallet and he answered one of the trusted altcoin wallet is myetherwallet. In that point for me the best wallet  for altcoin myetherwallet its because myetherwallet is very easy to use, to stored eth token and the safe  altcoin wallet because you have the private key to unlock your wallet.

Account 4: Vanopest

my ether wallet my friend because now a days a lot of token do use now eRC20 that myetherwallet can store so if i we're you i will started to use myetherwallet because it is safe and also it is free

Copied from

my ether wallet my friend because now a days a lot of token do use now ERC20 that myetherwallet can store so if i we're you i will started to use myetherwallet because it is safe and also it is free

Account 5: MalinkaOw

its depends on your altcoins, if you want to keep eth or ethereum tokens you can use myetherwallet... but if your investments is another coin, just donwload their wallet and run  it in your device

Copied from

its depends on your altcoins,,
if you want to keep eth or ethereum tokens you can use myetherwallet
but if your investments is another coin, just donwload their wallet and run  it in your device

[Coin-1]

In ‘wallet’, the second character is a cyrillic ‘a’ and the fifth a cyrillic ‘ie’, encoded in Unicode. This kind of scam is known as a homograph attack. You can find all characters using normal search as long as you’re searching for those exact characters.

I can say about the russian alphabet. It has some cyrillic symbols which can be used in a homograph attack.

Lower case (6 identical symbols):
aбвгдeёжзийклмнoпpcтyфxцчшщъыьэюя
abcdefghijklmnopqrstuvwxyz

Upper case (11 identical symbols):
AБBГДEЁЖЗИЙКЛMHOПPCTУФXЦЧШЩЪЫЬЭЮЯ
ABCDEFGHIGKLMNOPQRSTUVWXYZ

Note that the cyrillic symbols are encoded as 2 bytes in UTF-8, therefore:
1) wallet = 6 unicode symbols = 6 bytes in UTF-8
2) wallet = 6 unicode symbols  = 8 bytes in UTF-8

[Quickseller]

a very simple solution to this would be to disallow these types of symbols throughout the forum. Or at the very least in the english sections, in which there is absolutely no reason to need to use them. 

[LoyceV]

Theymos ended the abuse:

Done. I only did the ones that look really similar to Latin characters, and it only applies to English sections. It's done at display time, so it's retroactive.

There is no longer a difference between "wallet" and "wallet", so I'll lock this thread. Thanks theymos!