IDN Homograph Phishing Attacks/Prevention

IDN Homograph Phishing Attacks/Prevention

·

3 min read

Introduction to IDN Homograph Attacks

Agenda:

  1. What is an IDN Homograph Attack?
  2. An Example of an IDN Homograph Attack
  3. Identifying and Verifying Phishing Email Sources
  4. Preventing IDN Homograph Attacks
  5. Other Phishing Attack Methods

What is an IDN Homograph Attack?

An IDN (Internationalized Domain Name) Homograph Attack is an exploitation of the fact that certain characters in ASCII closely resemble characters in other character sets. Let's examine an example using Cyrillic characters:

An IDN Homograph Attack Example

So, as you can see at a glance, or even upon closer examination, characters in different character sets can appear nearly identical. For instance:

  • English Characters: a, c, e, o, p, x, and y
  • Cyrillic Characters: а, с, е, о, р, х, and у

Now, you might wonder if popular browsers like Firefox and Chrome automatically correct such characters to prevent these attacks. However, when you search these characters on a domain registrar like Namecheap, you'll notice they appear in a deceptive, misleading form:

Image

While domain registrars can validate and display these characters accurately, browsers do not always offer the same protection within the URL bar:

Image

While Chrome underlines potentially deceptive characters, it may not be foolproof. Now, let's examine how this type of attack appears when sent via email, often used in spear-phishing attempts:

Image

At first glance, this email appears legitimate as it's supposedly from PayPal with the domain paypal.com. However, hovering over the domain reveals the actual URL as IDN:xn--pypl-53dc.com.

Note: Registering domains with characters like Cyrillic can infringe on trademarks and may lead to legal consequences.

For a side-by-side comparison of English and Cyrillic characters, please refer to this tweet.

Reversing the Phishing Email

To investigate further, let's examine the email's header. You can retrieve email headers manually or use a tool like Mxtoolbox.

Next, utilize another tool like this to extract more information from the headers. This allows you to determine whether the email genuinely originated from PayPal's SMTP servers:

Image

This email was sent via emkei.cz, which a quick Google search reveals as an Email Spoofing Service, confirming the phishing attempt:

Image

Identifying IDNs

An easy way to spot IDN attacks is by hovering over the link or pasting it into the browser without forwarding the request. You'll see the actual IDN, e.g., amazon.com becomes xn--mazon-wqa.com.

Browser Protections

Browsers have built-in security settings to prevent these attacks, but they may not catch all variations. Consider browser extensions that enhance protection.

Manual Verification

Always perform a quick nslookup for more information and use tools like dns-records to verify domains.

Safe Practices

  • Type URLs directly into your browser rather than clicking on links.
  • Avoid clicking on links in emails, especially password reset emails you didn't initiate. Instead, manually navigate to the website and copy the extension.

Other Phishing Attack Methods

Below are some common phishing attack methods:

  1. Spear Phishing: Using malicious PDFs, DOCx, etc.
  2. Local Area Network (LAN) Based Phishing
  3. Vishing (Voice Phishing)
  4. Smishing (SMS Phishing)
  5. Bit Squatting

There are many more variations and techniques.

Real-Life Example

For a real-life example of an IDN Homograph Attack against Apple, complete with domain registration details, we recommend reading the following: