While Facebook is busy fending off international opposition to its Libra cryptocurrency, fake websites are cropping up claiming to offer the tokens for sale to unwary investors.

The latest Libra scam website is LibraReserve.io. A visual mashup of both Libra.org and Calibra.com, Libra Reserve claims to offer both the opportunity to buy Libra as well as early access to Calibra.

Micky created a test account to see exactly how this particular Libra scam worked. The signup process was quick and easy – in fact, no personal information was requested beyond a name, an email address, and a password.

Once logged in, users appear to have the ability to purchase Libra tokens and they are also given a referral link that they can use to promote the scam to others as well.

Clicking on the Get Libra button on the dashboard takes you to a page where you can ‘exchange’ Bitcoin and Ethereum for Libra tokens.

They also have a credit card option listed, but it is listed as being disabled.

Red flags…red flags everywhere

Aside from the fact that Libra won’t be available until next year, Libra Reserve is riddled with red flags that scream ‘SCAM!’.

No KYC measures

Seriously? We’re expected to believe that Libra – a project that is being watched and scrutinized by governments around the world – isn’t going to ask for one iota of identifying information?

Not only does Libra Reserve not verify user information (Micky used a false name during sign up to test this), there isn’t even anywhere on the site to view or edit users’ account information.

Conflicting payout terms

On the page where users can supposedly buy Libra, the website states that “When the payment is received and processed, the coins will be sent to you.”

But on the main dashboard page, when you run your cursor over the faded out Withdrawal button, an alert pops up saying that the tokens will be available when the public sale – the one that isn’t going on – is completed.

No country restrictions

Libra Reserve is “offering” tokens and early access to Calibra to everyone, but a spokesperson for the actual Calibra organization told TechCrunch that it “won’t be available in U.S.-sanctioned countries or countries that ban cryptocurrencies.”

No contact information

Other than a support ticket form, there is no point of contact anywhere on the website. No email address, no social media links, no terms of service…nothing.

The actual Libra and Calibra websites have multiple points of contact, including all of the above.

ICO-style public sale

Although Libra Reserve has stopped short of calling its scam an ICO, it is absolutely conducting it like one – all the way down to the countdown clocks and fundraising goal tracker to the 50% bonus being offered.

When the Libra cryptocurrency does launch, reports indicate that it will initially only be available through Facebook’s WhatsApp and Messenger apps, both of which will have a built-in Calibra wallet.

When is Calibra not Calibra?

Users of cryptocurrency exchanges and online crypto wallet services are often reminded to check the domain name before they log in to make sure that they are on the actual website and not a fake scam site, but even that isn’t enough anymore.

When someone registers a domain name, typically the only characters allowed were the English alphabet (a-z), numbers, and the hyphen (-) symbol but an initiative launched in 2009 as part of ICANN’s IDN (Internationalized Domain Names) Program has made it possible to include characters from other languages as well.

The original intent of the IDN program was to allow people around the world to use domain names in their own native language.

Unfortunately, enterprising scammers are taking advantage of this to spoof legitimate domain names.

On June 27th, a user posted in /r/EOS on Reddit about a fake copy of the Calibra website. In this particular instance, the scammer appeared to have a change of heart and shut down the site, leaving nothing behind but an apology that read, “Sorry Zuck. All funds are refunded.”

The most interesting part about this scam, however, isn’t what they did, but how they did it.

Although the link to the site posted on Reddit has since been removed, it got picked up by news aggregator CryptoDigest.

Based on the screenshot above, it looks like clicking on the link would take you to the actual Calibra website, but in actuality, it takes you here:

Clearly not the Calibra website, right? But take a look at the domain name in the address bar:

Calibra.com – but how is that possible? The answer lies in the text link itself.

If you right click on the ‘https://calìbra.com/’ link on CoinDigest and select Inspect from the menu that appears, you will see a bit of code that looks like this:

The line highlighted in blue is what you want to pay attention to. See the value of the href attribute?

https://cal%C3%ACbra.com/

That is the actual domain name that the link takes you to when you click on it. The %C3%AC part of the domain name is actually an encoded Cyrillic lowercase dotted ‘i’.

The Cyrillic alphabet is used in more than 50 different languages, including Russian, Ukrainian, Bulgarian, and many others.

When Chrome, Firefox, and Opera display the domain name in the address bar, the encoded character gets displayed, making cal%C3%ACbra.com appear as calibra.com.

This particular type of scam – swapping out characters in a domain name with similar looking characters – is called a homograph attack.

How can you protect yourself (and your crypto)?

In the case of the LibraRserve.io scam, the best defense is to be well-informed. If would-be investors spent even a few minutes doing their due diligence, they would know that Libra isn’t set to be released until 2020.

Armed with that information, they would – or should – know that any person or website offering to sell Libra tokens ahead of the 2020 release date is just looking to scam FOMO-addled investors out of their hard-earned funds.

With homograph attack type scams, it’s not always easy because some letters in other languages are nearly identical to letters in the English language.

Still, there are several steps you can take to protect yourself:

Type the URLs of the crypto exchanges and other services you use into the address bar of your browser manually and bookmark them for future use.

Microsoft Edge and earlier versions of Internet Explorer don’t convert encoded characters, so consider cutting and pasting URLs into Edge or IE to check them.

Inspect links before you click on them (like we did for the Calibra link above).

If the website uses SSL (e.g. if it begins with https instead of http) you can right click on the green padlock icon in the address bar to inspect its SSL certificate.

Manually type the URL into a text editor and then copy and paste the URL from the address bar beneath it to see if they match.

How do you protect yourself from scams like these? Join the conversation on twitter @MickyNewsOz