Even the most vigilant internet users are susceptible to this IDN homograph attack
A new wave of Unicode Domain Phishing attacks are tricking even the most seasoned of internet veterans thanks to its clever use of homographs.
For those that don’t know a homograph is a set of two or more words that are spelled the same but have different meanings and origins. In this case, homograph is an imperfect descriptor, but it’s still sufficient.
To execute a Unicode Domain Phishing attack, you first need a Unicode domain. Typically, the URLs you type are in ASCII, that stands for American Standard Code for Information Interchange. However, in 2003, a specification was added to allow Unicode characters to be used in domain names. Unicode is an industry standard for encoding text expressed in most of the world’s written languages. The idea behind this was to give international internet users the ability to follow links in their own language.
But, as with everything on the internet, somebody found a way to exploit this.
Researcher Xudong Zheng published a proof of concept last year that highlights the issue. In the POC, Zheng uses Unicode to produce a web page that resembles Apple’s. To do this, he created a domain with Punycode, which allows for Internationalized Domain Names. He then mixed in Unicode with ASCII to create a website that actually says “Apple.com”
An “A” in ASCII (U+0061) is different from a Cyrillic “A” (U+0430), but the browser will render them both the same in the address bar. Now, typically, browsers will display the Punycode form to limit any confusion with the real Apple.com. However, Zheng found that the defense mechanism in Chrome and Firefox didn’t work if every character is replaced with a similar from the same language.
So, when Zheng registered a domain at: xn–80ak6aa92e.com, it bypasses the browser filters and renders “Apple.com” in the address bar. To make his POC even more compelling Zheng tossed a DV SSL certificate on his site. Now it looks like Apple, and it has the padlock so it must be safe, right?
Zheng didn’t try to duplicate Apple’s homepage because he was just showing a proof of concept. But be honest, were that an actual phishing attack it would have fooled pretty much anyone.
Regardless, this is really just the tip of the iceberg. There are tons of ways attackers can take advantage of Unicode to create this Homograph attacks.
How to protect yourself from Unicode Domain phishing attacks
If you’re a Google Chrome user you’re set. Google addressed this issue in version 58.
Firefox users can prevent this from happening by typing “about:config” into your address bar. Then, in the search box type “Punycode.”
If the value of the entry titled: network.IDN_show_puny_code is false, double-click it to change it to true.
This will make your browser display the punycode, not the ASCII representation of it.
Here are a few additional security tips:
- Use a password manager – If you’re on a Unicode Domain, your password manager won’t be fooled. It also won’t populate the login fields with your data. When this happens, this should be a huge red flag about the page you’re visiting.
- Don’t follow links – There are plenty of ways a link can fool you, so for important business, or on social media sites, always type the URL in manually. This way you know you’re directing yourself to the correct domain.
- Turn on Two-Factor Authentication – 2FA can’t protect your login credentials, but it can add a much-needed layer of security should your login credentials ever get compromised. It might be a pain to have to enter a code everytime you log in to your mail account, but it will keep your account safe if someone steals your credentials.