IDN Homograph Attack – Exploitation in Phishing

July 7, 2017 | Views: 5464

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello!

Welcome to the first post! I am Muhammad Habib and this post will be about “internationalized domain name” or IDN Homograph attack. We will be attacking a browser supporting IDNA to perform a phishing attack.


First things first: What are homographs?

Here’s a simple example … for the coders here. There’s a prank in which you change the semicolon in the code of a friend to a Greek question mark: see here

Actually the “;” and

;

may look the same to us humans, but actually, they are not to computers. For others, here’s a simple example: There is in the Cyrillic alphabet a letter which looks like (“а”) … doesn’t that look just like the Latin (“a”)?

These are called homographs: Characters we can’t recognize the difference between, however computers do because they are being treated by their encoding reference!


Back on topic!

Phishing is always considered primitive as usually, the attack scenarios are not that revolutionary to be treated as critical, whereas they actually are. We can’t disagree that this old-fashioned technique can barely get an attacker victims. However, this article is about changing this idea!

What will we need for this tutorial?

–> just few bucks to rent a domain name and hosting..

–> create a fake page : a clone of the website which is used to collect wanted data

First, we need to choose a website the victim whose private date we need … Let’s say Blockchain.info. We decide to replace a and b with letters from the Cyrillic alphabet: Вlockchаin.info

Second, we need to know that browsers tend to convert Puny code in URLs to regular text. What is puny code? It’s nothing but a way to represent non-Latin symbols. Let’s convert our fake domain name to Punycode  Вlockchаin.info becomes xn--lockchin-66gn.info using this tool.

Third, we buy that domain from let’s say NameCheap or Hostgator and host it anywhere then upload our fake page.

,

Finally, an attacker has the choice of targeting a single target crafting an SE attack or massive targeting using Spear phishing.

What’s going to happen ?

  1. The victim will visit the URL , either from a spoofed e-mail / sms (we will cover email and sms spoofing in upcoming articles) or from you directly .
  2. The victim’s browser most likely will convert the punycode to regular URL : xn--lockchin-66gn.info becomes Blockchain.info
  3. As the URL is similar to the original website , they won’t recognize the difference and submit their data !!

Let’s talk about protection now:

Firefox, Chrome, and Opera browsers are vulnerable to the homograph attack, whereas the latest Chrome will contain a fix for this issue. Within Firefox the support for Punycode can be disabled by navigating to about:config and disabling “network.IDN_show_punycode”.

Or you can use this Chrome extension to detect Punycode:

Tool URL

Register all homograph iterations of your domain so they are not available to be misused. Registering that many domains might not be practical for some organizations, but for Google, in hindsight, it would have saved them a lot of trouble. Alternatively, you could also monitor those domains for registration activity that would indicate an attack is being planned. To protect internal users the simplest method is to disable IDNA support in your web browsers. Doing so will block access to non-ASCII domain names but will still allow the underlying Punycode domains to continue to be used which removes an attacker’s ability to spoof the real domains.

source

I hope this article was helpful and that you learned something new. Brought to you by Jawady Muhammad Habib and my blog http://s3curi7y.tn/

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. Very nice article, thanks mate!

  2. hbibz keep up the good work my champ

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel