Business Technology Insights

Beware of Phishing Attacks: How Cybercriminals Exploit Domain Names

Written by Emily Kirk | October 10, 2017

UPDATED September 25, 2023 

Originally built in the United States, the Internet used American Standard Code for Information Interchange (ASCII) for encoding English language Latin-based alphabet characters for communications between computers. You see…computers don’t understand letters or languages, only ones and zeros. But many other world languages use characters that are not found in the Latin alphabet. The international community as a whole saw this as a problem and since the early nineties has created and adopted standards known as Unicode to allow for the handling and rendering of different characters on the web.

The Domain Name System (DNS) which we use to translate user friendly names to IP Addresses for Internet communication, only understands ASCII so in 2010, the Internet Corporation for Assigned Names and Numbers (ICANN) adopted the use of Internationalized Domain Names (IDN) and decided that IDNs should be converted to ASCII-based form so they could be handled by web browsers, applications (IDNA) and DNS. Basically, make it easier on the computer, and the user gets an easier experience as well. But hackers are exploiting this, matching the sophistication of the internet progression. 

How vulnerable are you to a phishing attack? 

Very simply put, a word used in a domain name registration can be interpreted by our computers to mean something else. And if the word looks like what we expected to see in the address bar, then we can be fooled into clicking on a link or visiting a site that has been crafted to steal sensitive credentials. This is form of Unicode Phishing known as an IDN Homograph Attack and they are not new and nearly impossible to detect according to Xudong Zheng, a web developer who successfully demonstrated the exploit to the world on his own website and promptly reported the vulnerability to Google’s Chrome Security Team. Note the similarities of the URL and the domain code and the drastic change in the redirect. 

The Cyrillic alphabet, created by two brothers who later became canonized as saints, allows for hackers to shift the Unicode to look like their legitimate counterparts but then route users to a faulty, malicious website. Modern browsers can easily detect a homograph attack when tactics like replacing a single or even multiple characters are used such as replacing the first letter of the word, “apple” with a Cyrillic “a”, but this is not always the case when all the characters are replaced with Cyrillic alphabet characters. By using a blend of characters for letters that look very similar to the characters in our own alphabet, hackers can easily fool their phishing targets. 

Xudong exposed a previously unknown vulnerability by replacing all of the Latin characters in the word, “apple” with characters in Cyrillic font, “apple." The browsers Chrome and Firefox failed every time. He then registered the converted Unicode name and built a simple webpage announcing the exploit. Chrome has since corrected the vulnerability and Firefox allows you to display the target’s Punycode URL so you can decide if that is where you want to go.

So how do they do it?

  • An attacker selects a domain to spoof, apple.com in this example.
  • The attacker then either manually converts the characters that spell out the domain to the Cyrillic alphabet or visits a site with a Homoglyph Attack Generator! Yes they have those. This generates a character string known as Punycode, a way to generate ASCII for DNS from Unicode.
  • Once the attacker has the converted Unicode, they register the URL name.
    • Example – “xn--80ak6aa92e.com”, the Punycode conversion for Cyrillic “apple”
  • The attacker then builds a fake website that looks like the spoof target’s web page and obtains a free digital certificate to be able to display the Green Secure Padlock on the address bar.
  • The attacker then launches the attack via Phishing email or other form of social engineering.
  • You do as you are trained and hover over the URL before clicking to confirm the target and see a Green Padlock, the word, “Secure” followed by the URL you expect to see. All is good right?
  •  If you click the URL, you are directed to the hacker's created website domain. 
  • You are Phished.

how to protect Against phishing attacks

Use deterrent, preventive, and reactive countermeasures in a layered defense such as:

  • Manually type the name of the URL target instead of clicking from the body of an email
  • Utilize email anti-spam filtering and set as high as possible to block malware attachments
  • NEVER click a link in an email from an unknown source. EVER.
  • Conduct a comprehensive risk and technical infrastructure assessment
  • Re-visit the design or re-design your network architecture
  • Employ Multi-Factor Authentication solutions when you can 
  • Conduct Security Awareness and Anti-Phishing Training for you and your staff
  • Consider around the clock Cyber Security Operations Center security monitoring for your network
  • Ensure that your Anti-Virus scan engines are up to date and contain Endpoint Detection & Response (EDR)
  • Employ monthly external vulnerability scans
  • Conduct periodic external penetration tests of your networks
  • Use a Managed Services Provider that offers Managed Security as a Service as well.

 

Still curious? We're happy to help. 
View full post