Introduction to IDN Homograph Attacks
Agenda:
- What is an IDN Homograph Attack?
- An Example of an IDN Homograph Attack
- Identifying and Verifying Phishing Email Sources
- Preventing IDN Homograph Attacks
- Other Phishing Attack Methods
What is an IDN Homograph Attack?
An IDN (Internationalized Domain Name) Homograph Attack is an exploitation of the fact that certain characters in ASCII closely resemble characters in other character sets. Let's examine an example using Cyrillic characters:
An IDN Homograph Attack Example
So, as you can see at a glance, or even upon closer examination, characters in different character sets can appear nearly identical. For instance:
- English Characters: a, c, e, o, p, x, and y
- Cyrillic Characters: а, с, е, о, р, х, and у
Now, you might wonder if popular browsers like Firefox and Chrome automatically correct such characters to prevent these attacks. However, when you search these characters on a domain registrar like Namecheap, you'll notice they appear in a deceptive, misleading form:
While domain registrars can validate and display these characters accurately, browsers do not always offer the same protection within the URL bar:
While Chrome underlines potentially deceptive characters, it may not be foolproof. Now, let's examine how this type of attack appears when sent via email, often used in spear-phishing attempts:
At first glance, this email appears legitimate as it's supposedly from PayPal with the domain paypal.com. However, hovering over the domain reveals the actual URL as IDN:xn--pypl-53dc.com.
Note: Registering domains with characters like Cyrillic can infringe on trademarks and may lead to legal consequences.
For a side-by-side comparison of English and Cyrillic characters, please refer to this tweet.
Reversing the Phishing Email
To investigate further, let's examine the email's header. You can retrieve email headers manually or use a tool like Mxtoolbox.
Next, utilize another tool like this to extract more information from the headers. This allows you to determine whether the email genuinely originated from PayPal's SMTP servers:
This email was sent via emkei.cz, which a quick Google search reveals as an Email Spoofing Service, confirming the phishing attempt:
Identifying IDNs
An easy way to spot IDN attacks is by hovering over the link or pasting it into the browser without forwarding the request. You'll see the actual IDN, e.g., amazon.com
becomes xn--mazon-wqa.com
.
Browser Protections
Browsers have built-in security settings to prevent these attacks, but they may not catch all variations. Consider browser extensions that enhance protection.
Manual Verification
Always perform a quick nslookup
for more information and use tools like dns-records to verify domains.
Safe Practices
- Type URLs directly into your browser rather than clicking on links.
- Avoid clicking on links in emails, especially password reset emails you didn't initiate. Instead, manually navigate to the website and copy the extension.
Other Phishing Attack Methods
Below are some common phishing attack methods:
- Spear Phishing: Using malicious PDFs, DOCx, etc.
- Local Area Network (LAN) Based Phishing
- Vishing (Voice Phishing)
- Smishing (SMS Phishing)
- Bit Squatting
There are many more variations and techniques.
Real-Life Example
For a real-life example of an IDN Homograph Attack against Apple, complete with domain registration details, we recommend reading the following: