Ready to Start Your Career?
By: Jawady Muhammad Habib
July 7, 2017
IDN Homograph Attack – Exploitation in Phishing
By: Jawady Muhammad Habib
July 7, 2017
Hello! Welcome to the first post! I am Muhammad Habib and this post will be about internationalized domain name or IDN Homograph attack. We will be attacking a browser supporting IDNA to perform a phishing attack.
First things first: What are homographs? Here’s a simple example ... for the coders here. There’s a prank in which you change the semicolon in the code of a friend to a Greek question mark: see here. Actually the ";" and ";" may look the same to us humans, but actually, they are not to computers. For others, here’s a simple example:
There is in the Cyrillic alphabet a letter which looks like ("а") … doesn’t that look just like the Latin ("a")? These are called homographs: Characters we can’t recognize the difference between, however computers do because they are being treated by their encoding reference!
Back on topic!
Phishing is always considered primitive as usually, the attack scenarios are not that revolutionary to be treated as critical, whereas they actually are. We can’t disagree that this old-fashioned technique can barely get an attacker victims. However, this article is about changing this idea! What will we need for this tutorial? Just few bucks to rent a domain name and hosting. Create a fake page, a clone of the website which is used to collect wanted data.
First, we need to choose a website the victim whose private date we need … Let’s say Blockchain.info. We decide to replace a and b with letters from the Cyrillic alphabet: Вlockchаin.info.
Second, we need to know that browsers tend to convert Puny code in URLs to regular text. What is puny code? It's nothing but a way to represent non-Latin symbols. Let’s convert our fake domain name to Punycode. Вlockchаin.info becomes xn--lockchin-66gn.info using this tool.
Third, we buy that domain from let’s say NameCheap or Hostgator and host it anywhere then upload our fake page.
Finally, an attacker has the choice of targeting a single target crafting an SE attack or massive targeting using Spear phishing.
What’s going to happen?
Let’s talk about protection now:
Firefox, Chrome, and Opera browsers are vulnerable to the homograph attack, whereas the latest Chrome will contain a fix for this issue. Within Firefox the support for Punycode can be disabled by navigating to about:config and disabling “network.IDN_show_punycode”. Or you can use this Chrome extension to detect Punycode:
Tool URL
Register all homograph iterations of your domain so they are not available to be misused. Registering that many domains might not be practical for some organizations, but for Google, in hindsight, it would have saved them a lot of trouble. Alternatively, you could also monitor those domains for registration activity that would indicate an attack is being planned. To protect internal users the simplest method is to disable IDNA support in your web browsers. Doing so will block access to non-ASCII domain names but will still allow the underlying Punycode domains to continue to be used which removes an attacker’s ability to spoof the real domains.
source
I hope this article was helpful and that you learned something new. Brought to you by Jawady Muhammad Habib and my blog http://s3curi7y.tn/
First things first: What are homographs? Here’s a simple example ... for the coders here. There’s a prank in which you change the semicolon in the code of a friend to a Greek question mark: see here. Actually the ";" and ";" may look the same to us humans, but actually, they are not to computers. For others, here’s a simple example:
There is in the Cyrillic alphabet a letter which looks like ("а") … doesn’t that look just like the Latin ("a")? These are called homographs: Characters we can’t recognize the difference between, however computers do because they are being treated by their encoding reference!
Back on topic!
Phishing is always considered primitive as usually, the attack scenarios are not that revolutionary to be treated as critical, whereas they actually are. We can’t disagree that this old-fashioned technique can barely get an attacker victims. However, this article is about changing this idea! What will we need for this tutorial? Just few bucks to rent a domain name and hosting. Create a fake page, a clone of the website which is used to collect wanted data.
First, we need to choose a website the victim whose private date we need … Let’s say Blockchain.info. We decide to replace a and b with letters from the Cyrillic alphabet: Вlockchаin.info.
Second, we need to know that browsers tend to convert Puny code in URLs to regular text. What is puny code? It's nothing but a way to represent non-Latin symbols. Let’s convert our fake domain name to Punycode. Вlockchаin.info becomes xn--lockchin-66gn.info using this tool.
Third, we buy that domain from let’s say NameCheap or Hostgator and host it anywhere then upload our fake page.
Finally, an attacker has the choice of targeting a single target crafting an SE attack or massive targeting using Spear phishing.
What’s going to happen?
- The victim will visit the URL, either from a spoofed e-mail / sms (we will cover email and sms spoofing in upcoming articles or from you directly.
- The victim’s browser most likely will convert the punycode to regular URL : xn--lockchin-66gn.info becomes Blockchain.info
- As the URL is similar to the original website, they won’t recognize the difference and submit their data!!
Let’s talk about protection now:
Firefox, Chrome, and Opera browsers are vulnerable to the homograph attack, whereas the latest Chrome will contain a fix for this issue. Within Firefox the support for Punycode can be disabled by navigating to about:config and disabling “network.IDN_show_punycode”. Or you can use this Chrome extension to detect Punycode:
Tool URL
Register all homograph iterations of your domain so they are not available to be misused. Registering that many domains might not be practical for some organizations, but for Google, in hindsight, it would have saved them a lot of trouble. Alternatively, you could also monitor those domains for registration activity that would indicate an attack is being planned. To protect internal users the simplest method is to disable IDNA support in your web browsers. Doing so will block access to non-ASCII domain names but will still allow the underlying Punycode domains to continue to be used which removes an attacker’s ability to spoof the real domains.
source
I hope this article was helpful and that you learned something new. Brought to you by Jawady Muhammad Habib and my blog http://s3curi7y.tn/
