Phishing with Saints Cyril and Methodius

Originally built in the United States, the Internet used American Standard Code for Information Interchange (ASCII) for encoding English language Latin-based alphabet characters for communications between computers. You see…computers don’t understand letters or languages, only ones and zeros. But many other world languages use characters that are not found in the Latin alphabet. The international community as a whole saw this as a problem and since the early nineties has created and adopted standards known as Unicode to allow for the handling and rendering of different characters on the web.

The Domain Name System (DNS) which we use to translate user friendly names to IP Addresses for Internet communication, only understands ASCII so in 2010, the Internet Corporation for Assigned Names and Numbers (ICANN) adopted the use of Internationalized Domain Names (IDN) and decided that IDNs should be converted to ASCII-based form so they could be handled by web browsers, applications (IDNA) and DNS.

So what do two brothers, both ordained monks and later canonized as Saints, who lived over 1,132 years ago have to do with modern day Phishing Attacks?

Nothing directly of course, but without going into detail, their work in translating portions of the bible from the Roman alphabet for the Slavic people of Eastern Europe eventually led to a new Cyrillic alphabet which has spread to over 50 countries and is still in use today. The Cyrillic alphabet uses a blend of characters for letters that look very similar to the characters in our own alphabet, but their Unicode translation is different.

So what does all this mean?

Very simply put, a word used in a domain name registration can be interpreted by our computers to mean something else. And if the word looks like what we expected to see in the address bar, then we can be fooled into clicking on a link or visiting a site that has been crafted to steal sensitive credentials. This is form of Unicode Phishing known as an IDN Homograph Attack and they are not new and nearly impossible to detect according to Xudong Zheng, a web developer who successfully demonstrated the exploit to the world on his own website, https://www.xudongz.com/blog/2017/idn-phishing/ and promptly reported the vulnerability to Google’s Chrome Security Team in January of this year.

Modern browsers can easily detect a homograph attack when tactics like replacing a single or even multiple characters are used such as replacing the first letter of the word, “apple” with a Cyrillic “a”, but this is not always the case when all the characters are replaced with Cyrillic look-alikes.

So how do they do it?

• An attacker selects a domain to spoof, apple.com in this example.
• The attacker then either manually converts the characters that spell out the domain to the Cyrillic alphabet or visits a site with a Homoglyph Attack Generator! Yes they have those. This generates a character string known as Punycode, a way to generate ASCII for DNS from Unicode.
• Once the attacker has the converted Unicode, they register the URL name.
  • Example – “xn--80ak6aa92e.com”, the Punycode conversion for Cyrillic “apple”
• The attacker then builds a fake website that looks like the spoof target’s web page and obtains a free digital certificate to be able to display the Green Secure Padlock on the address bar.
• The attacker then launches the attack via Phishing email or other form of social engineering.
• You do as you are trained and hover over the URL before clicking to confirm the target and see a Green Padlock, the word, “Secure” followed by the URL you expect to see. All is good right?

https://www.аррӏе.com cut and paste this into a new web page in the address bar to see how easy it is to be fooled…

•  If you click the URL, you are directed to https://www.xn--80ak6aa92e.com
• You are Phished.

So what tools or safe practices can protect you from this type of attack?

Use deterrent, preventive, and reactive countermeasures in a layered defense such as:

• Manually type the name of the URL target instead of clicking from the body of an email
• Conduct a comprehensive risk and technical infrastructure assessment
• Re-visit the design or re-design your network architecture
• Utilize DNS and IP layer, intelligent proxy and C2 blocking tools
• Employ Multi-Factor Authentication solutions
• Conduct Security Awareness and Anti-Phishing Training for you and your staff
• Consider use of APT Advanced Sensors to protect your network
• Utilize email anti-spam filtering and set as high as possible to block malware attachments
• Consider 24x7x365 Cyber Security Operations Center security monitoring for your network
• Ensure that your Anti-Virus scan engines are up to date and contain Endpoint Detection & Response (EDR)
• Employ monthly external vulnerability scans
• Conduct periodic external penetration tests of your networks
• Use a Managed Services Provider that offers Managed Security as a Service as well.

Arghire, I. (2016, December 14). Office 365 Business Users Targeted in Punycode-based Phishing. Retrieved from SecurityWeek.com: http://www.securityweek.com/office-365-business-users-targeted-punycode-based-phishing

Arghire, I. (2017, February 3). PayPal Phishing Attack Immediately Verifies Credentials. Retrieved from SecurityWeek.com: http://www.securityweek.com/paypal-phishing-attack-immediately-verifies-credentials

Costello, A. (2003, March). RFC 3492: Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA). Retrieved from ietf.org: http://www.ietf.org/rfc/rfc3492.txt

Crabben, J. v. (2011, April 28). Ancient History Encylopedia. Retrieved from Alphabet: https://www.ancient.eu/alphabet/

Hackett, R. (2017, April 18). This Google Chrome and Firefox Phishing Scam Is ‘Practically Impossible to Spot’. Retrieved from Fortune - Tech: http://fortune.com/2017/04/18/google-chrome-phishing-scam/

Larsen, C. (2014, May 22). Bad Guys Using Internationalized Domain Names (IDNs). Retrieved from Symantec Connect: https://www.symantec.com/connect/blogs/bad-guys-using-internationalized-domain-names-idns

Newman, L. H. (2017, April 18). Sneaky Exploit Allows Phishing Attacks From Site That Look Secure. Retrieved from Wired.com: https://www.wired.com/2017/04/sneaky-exploit-allows-phishing-attacks-sites-look-secure/

Violatti, C. (2015, February 5). Greek Alphabet. Retrieved from Ancient History Encyclopedia: https://www.ancient.eu/Greek_Alphabet/

Wikipedia. (2017, September 24). Internationalized Domain Name. Retrieved from e..wikipedia.org: https://en.wikipedia.org/wiki/Internationalized_domain_name

Wikipedia. (2017, September 9). Internet Governance. Retrieved from Wikipedia, The Free Encyclopedia: https://en.wikipedia.org/wiki/Internet_governance

Wikipedia. (2017, September 24). Punycode. Retrieved from Wikipedia, The Free Encyclopedia: https://en.wikipedia.org/wiki/Punycode

Wikipedia. (2017, August 31). Saints Cyril and Methodius. Retrieved from Wikipedia, The Free Encyclopedia: https://en.wikipedia.org/wiki/Saints_Cyril_and_Methodius

Wikipedia. (2017, September 29). Unicode. Retrieved from Wikipedia, The fre Encyclopedia: https://en.wikipedia.org/wiki/Unicode