Background
At the beginning of the web world, domains could only consist of the Latin letters A to Z, digits, and a few other characters. Because of the rising demand, Internationalized Domain Names (IDNs) were created to better support non-Latin alphabets for web users around the globe. But new technology comes with new vulnerabilities. This vulnerability exploitation is called the IDN homograph attack.
How IDN works
IDNs were devised to support arbitrary Unicode characters in hostnames in a backward-compatible way. This works by having user agents transform hostnames containing non-ASCII Unicode characters into an ASCII-only hostname, which can then be sent to DNS servers. This is done by encoding each domain label into its Punycode representation. This representation includes a four-character prefix (xn--) and then the Unicode translated to ASCII Compatible Encoding (ACE). For example, http://öbb.at is transformed to http://xn--bb-eka.at.
It works by converting individual domain labels to an alternative format using only ASCII characters. For example, the domain “xn–s7y.co” is equivalent to “短.co”.
Even an IDN attack can be done in email also, let’s see…
Original Email: abc@gmail.com
IDN Email: abc@gmáil.com
abc@xn — Gmail-6na.com is the ASCII Compatible Encoding of the IDN email.
IDN attack
Due to the development of IDN to support non-latin alphabets in DNS, attackers use these facilities to register a domain similar to other existing domains, say
1. example.com is an existing domain and the attacker registered êхamplé.com as his own. Now attackers mimic the whole content of example.com to êхamplé.com.
2. Now he will spread the poisoned website URL to the victims.
3. If the victim fails to recognize the poisoned link, he or she will be going to the mimicked website and entering sensitive information or doing any transactions that will directly go to the attacker, though the victim will not have a single clue about this. This type of attack is called an IDN attack.
Below various possible IDN, examples are given:
IDN | Unicode | Legitimate match |
xn--alixpress-d4a.com | aliéxpress.com | aliexpress.com |
xn--go0gl-3we.fm | go0glе.fm | google.com |
xn--mazon-wqa.com | ámazon.com | amazon.com |
This one is an IDN homograph website which is a registered domain name as аррӏе.com(www.xn—80ak6aa92e.com). Only by seeing the link it’s impossible to know whether it’s original or fake.
Even Using IDN Email One can reset another one id password in a certain website.
Prevention:
In a recent survey, it was found that 35,989 domains tried to imitate 466 top global brands across 11 vertical sectors ranging from banking to retail to technology. So, to prevent such attacks various strategies can be used.
A. Google Chrome’s IDN policy
Nowadays, Web browsers are getting smarter day by day. Most of the time they prevent this type of homograph link to redirect to the suspicious website.
Since Chrome 51, Chrome uses an IDN display policy that does not consider the language settings (the Accept-Language list) of the browser. A similar strategy is used by Firefox.
B. Server Side
Server-side defenses to homograph attacks primarily rely on policies implemented by the Internet Corporation for Assigned Names and Numbers (ICANN). These policies generally prohibit internationalized TLDs from containing non-Latin characters that could cause it to resemble an existing TLD that uses Latin characters. ICANN also encourages the use of longer TLDs, making them more difficult to resemble existing Latin TLDs.
C. TOOLS
- EvilURL:
One can use tools like EvilURL which can detect whether a link is Homographic or not.
- Whois Ip lookup:
one can check whether a suspicious link belongs to a particular organization or not by checking its details on websites like whois.domaintools.com. By using this, one can easily identify whether a link is a real or fake.
IDN Homograph attack Examples:
Open Whisper Signal (aka Signal-Desktop) through 1.23.1 and the Signal Private Messenger application through 4.35.3 for Android are vulnerable to an IDN homograph attack when displaying messages containing URLs.
Telegram Desktop before 1.5.12 on Windows, and the Telegram applications for Android, iOS, and Linux, is vulnerable to an IDN homograph attack when displaying messages containing URLs.
• On February 7, 2005, web browsers supporting IDNA appeared to direct the URL http://www.pаypal.com/, in which the first a character is replaced by a Cyrillic, to the site of PayPal, but actually led to a spoofed website with different content.
• In 2017, An IDN homograph attack leveraging the Adobe brand was discovered, with the malicious site spreading the Betabot backdoor and ultimately infecting compromised machines with cryptocurrency-mining and data-stealing malware.
Conclusion:
To be on the safer side, always check carefully before clicking any link. Ensure you are browsing the correct website and always beware before visiting any random website.