IDN Homograph Attacks/Prevention
4 min read
Introduction to IDN Homograph Attacks
What will be covered today?
- What is an IDN Homograph Attack?
- Example of IDN Homograph Attack
- Reversing a Phishing Email Source
- Preventing IDN Homograph Attacks
- Different phishing Attacks/Methods
What is an IDN Homograph Attack?
An IDN Internationalized Domain Name attack is a method it exploits the fact that many characters in ASCII look the same for an example below I will give you an example of Cyrillic Characters and you'll see how its almost impossible for the human eye to see.
English Characters: a, c, e, o, p, x and y
Cyrillic Characters: а, с, е, о, р, х and у
An IDN Homograph Attack Example
So as you see at a glance/even looking deeply they look exactly the same, surely the Browsers like Firefox, Chrome etc would change the character into a different form, right?
For example searching the chars on namecheap.com they return in a bald/weird look.
This is because they can check the input and display the output onto the screen because they have control over there own website, right? Yes.
Does Chrome have this functionality built into the URL Bar?
Wow. No, although I am not sure if this type of functionality would be possible to implement inside of the browser itself I know it can be done on Google.com, let's see if they have any kind of "protection/prevention".
It seems to underline it as if it was misspelled, that's better than nothing! Now let's take a look on how it will look if it was sent via an email (spear phishing) a target at PayPal.
Looks legit right, the email is from PayPal and the domain is paypal.com so what's the issue here? A majority of non tech individual's would believe this, however if we hover our mouse over the domain it goes to IDN:xn--pypl-53dc.com
Note: if we registered this domain it should be directly accessible from pаypаl.com with no redirection.
Disclaimer: Registering domain's such as paypal.com using Cyrillic Character's could have you sued due to the domain being a trademark.
Please view my Tweet to see a side by side comparison of these English Character's vs Cyrillic Character's. Now for anyone who is just interested in the IDN Homograph Attack please skip to the next IDN "Chapter".
Reversing the phishing email
Firstly I got the header of the email, if you are unsure on how to do this manually please go to Mxtool and follow their instructions.
Now we are going to use another tool to see more information by providing the headers of the email thus means we can identify whether or not it was really sent by one of PayPal's SMTP Servers.
The email was sent from emkei.cz a quick Google search and this is shown to be an Email Spoofing Service. This information alone allows us to confirm its a phishing attack.
Cool! It also identified the redirection and parsed us that information so we won't risk clicking any links at all, that's a lot of information now if this Email Spoofing Provider wasn't blocked on your mail you can now contact the Email Provider for a block! Further down it just shows information such as the Subject, Message, From, To etc etc.
We can confirm this was a spear phishing attempt (assuming it's targeted at just us)
Preventing IDN Homograph Attacks
Browser's have built in Security Settings to attempt to prevent this but can fail, there is also multiple Browser Extensions that could be used to block these type of attacks.
The homograph protection mechanism in Chrome, Firefox, and Opera unfortunately fails if every character is replaced with a similar character from a single foreign language.
I always would say have these kind of Security Settings Enabled but a determined hacker will try to bypass them. I also suggest getting any kind of plugins for preventing against IDN Homograph Attacks and also always doing a quick nslookup which will give certain information and for more information you can use dns-records Also make sure you do not click any links on the real domain as there may be an open redirect vulnerability and it redirects you to the attackers domain you'll be clueless. We also do not recommend copying links from emails or clicking links like Password Reset's you never made, simply type the URL into your Browser and copy the extension E.g.
pаypаl.com/phishing-link/password-reset < Phishing Link // Hashnode Detects this
Instead manually go to paypal.com (Typing it yourself) and than copy the extension E.g. /phishing-link/password-reset
Full URL: paypal.com/phishing-link/password-reset
Blogs on prevention:
Different phishing Attacks/Methods
- Spear Phishing with malicious PDF's, DOCx etc // rev shell
- Lan Based Phishing
- Bit Squatting
- Google Dorking
Real Life Example
The following blog was an IDN Homograph Attack against Apple which he registers the domain and everything! I highly recommend you reading that.
Reference on why I blogged about this: twitter.com/RiotSecTeam/status/143150098748..
We appreciate any support, if you could follow us on Twitter and possibly Subscribe on YouTube we'd appreciate that! Thanks
That's all for now, have a good day! ~ RiotSecurityTeam