[This is a guest diary contributed by Remco Verhoef. If you would like to contribute a guest post, please let us know via our contact page] Currently there is a campaign going on where phishing attacks will use domains that look exactly like safe domains by using Punycode domains. (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/) This is called a homograph attack. The Punycode domains will start with xn-- prefix and browsers will show the decoded Unicode domain name in the address bar where the Unicode characters (homographs) used appears like the original characters. I wrote a program to look for similar characters within a font, comparing exact matches of glyphs. Outputting the table below. It shows the (ASCII) character with the homograph(s). Each font could have different homographs. For Phishing campaigns not only homograph domains could be used, but also the glyphs with small changes. Besides the program to built the table, I’ve created a program that will verify domains to see if they will have a (visually) exact match with a safe domain. Both programs are currently not open source, but will upon request.
When using for example URL (courtesy of Xudong Zheng) https://www.xn--80ak6aa92e.com/, you’ll see (in Firefox and Chrome) in your address bar https://www.apple.com/. It is possible to request SSL certificates (using e.g., Let’s Encrypt) with Punycode domain names, making this attack even more dangerous. The address bar will appear secure and contain the safe domain name. Impossible to recognize the difference. We’ve found the following safe domain alternatives. These are probably tip of the iceberg. These domains are exact counterparts of the safe domains. Some companies register a lot of the homograph domains themselves. Google for example, but it seems they forgot a few.
Resources: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ https://en.wikipedia.org/wiki/IDN_homograph_attack https://www.xudongz.com/blog/2017/idn-phishing/ https://isc.sans.edu/forums/diary/This+Article+is+Brought+to+You+By+the+Letter+12494/20319 I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022 |
Johannes 4506 Posts ISC Handler Apr 17th 2017 |
||||||||||||||||||||||||||||||||||||||||||||||||||
Thread locked Subscribe |
Apr 17th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Thanks for the write-up!
One small remark though: disabling “network.IDN_show_punycode” in Firefox's about:config may be misunderstood. Setting "network.IDN_show_punycode" to "true" means that punycode is shown, for example xn--80ak6aa92e.com Setting "network.IDN_show_punycode" to "false" (default) means that the intended text is shown, for example apple.com |
Erik van Straten 129 Posts |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 18th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Any legitimate business reason to allow punycode domains?
|
Anonymous |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 18th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Any legitimate business reason to allow punycode domains?
|
Anonymous |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 18th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Guess this is a good reason to get EV cert.
|
Mike7 43 Posts |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 18th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
I did some testing, and it appears to me that Outlook 2016 Version 1702 Build 7870.2038 is vulnerable in the same way as Chrome/Firefox, it shows https://www.epic.com when it should show as https://xn--e1awd7f.com/ if it behaved the same as IE.
|
Mark 2 Posts |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 18th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Thx, you're right.
|
Remco 26 Posts ISC Handler |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 20th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Yes, these are intended for international use. For example, using the punycoded domain "xn--s7y.co" is equal to the Chinese domain "短.co" which is a legitimate website. Not everyone on the internet uses English, this accommodates for domain addresses in other languages.
|
Anonymous |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Apr 24th 2017 5 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
Great post, thank you. Any plans on making the program opensource?
|
threatsurfer 1 Posts |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Aug 8th 2017 4 years ago |
||||||||||||||||||||||||||||||||||||||||||||||||||
We developed a tool to check domain names punycode alternatives.
You can use it for your or any domain names. Github link: https://github.com/anilyuk/punydomaincheck |
Anonymous |
||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Sep 13th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!