Phishing with Unicode Domains, an attack almost impossible to detect

The vulnerability affects Chrome, Firefox and Opera


The security researcher Xudong Zheng has discovered a new technique for phishing attacks: using an homograph attack, Zheng discovers that is possible to display a fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.

Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn — 80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters. You can check this out yourself in the proof-of-concept using Chrome or Firefox. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.


What is the Homograph Attack?

Is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike, (i.e., they are homographs, hence the term for the attack). For example, a person frequenting citibank.com may be lured to click a link in which the Latin C is replaced with the Cyrillic С.

An example of an IDN homograph attack; the “e” and “a” are replaced with Cyrillic letters rather than Latin ones.

This kind of spoofing attack is also known as script spoofing. Unicode incorporates numerous writing systems, and, for a number of reasons, similar-looking characters such as Greek Ο, Latin O, and Cyrillic О were not assigned the same code. Their incorrect or malicious usage is a possibility for security attacks.

Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn — s7y.co” is equivalent to “短.co”.

The researcher has published a demo page on the domain xn — 80ak6aa92e.com which appears as “apple.com” by all vulnerable web browsers:

It is possible to register domains such as “xn — pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041).


Is there a fix?

Zheng has reported this issue to the affected browser vendor in January: Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58 (UPDATE April, 21: Fixed!), but Mozilla is currently still working on a fix

Meanwhile, here a mitigation for Firefox users:

  • Type about:config in address bar and press enter.
  • Type Punycode in the search bar.
  • Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

More technical information on Zheng’s Website:

https://www.xudongz.com/blog/2017/idn-phishing/

Comments