Phishing and homograph attack (Punycode)

Phishing, a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. Why using it? The attackers use phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from targets.

Nevertheless companies and security departments continue to educate their users in phishing defense and deploy anti-phishing strategies but cybercriminals continue to hone their skills at existing phishing attacks and roll out new types of phishing scams. Some of the more common types of phishing attacks include the following:

Spear phishing attacks are targeting specific individuals or companies usually using information specific to the victim that has been gathered to more successfully represent the message as being authentic. Spear phishing emails might include references to coworkers or executives at the victim's organization, as well as the use of the victim's name, location or other personal information.

Whaling attacks are a type of spear phishing attack that specifically targets senior executives within an organization. Those preparing a spear phishing campaign research their victims in detail to create a more authentic message and increases the chances of the attack being successful.

Example: targets an employee with the ability to authorize payments, with the phishing message appearing to be a command from an executive to authorize a large payment to a vendor when, in fact, the payment would be made to the attackers.

Pharming is a type of phishing that depends on DNS cache poisoning to redirect users from a legitimate site to a fraudulent one, and tricking users into using their login credentials to attempt to log in to the fraudulent site. Further unauthorized activities can be performed as MFA is missing.

Clone phishing attacks use previously delivered, but legitimate emails that contain either a link or an attachment. Attackers make a copy or clone a legitimate email, replacing one or more links or attached files with malicious links or malware attachments. Because the message appears to be a duplicate of the original, legitimate email, victims can often be tricked into clicking the malicious link or opening the malicious attachment.

This technique is often used by attackers who have taken control of another victim's system. In this case, the attackers leverage their control of one system to pivot within an organization using email messages from a trusted sender known to the victims.

Phishers sometimes use the evil twin Wi-Fi attack by standing up a Wi-Fi access point and advertising it with a deceptive name that is similar to a legitimate access point. When victims connect to the evil twin Wi-Fi network, the attackers gain access to all the transmissions sent to or from victim devices, including user IDs and passwords. Attackers can also use this vector to target victim devices with their own fraudulent prompts for system credentials that appear to originate from legitimate systems (such as NTLMv1/v2 hashes).

Voice phishing, also known as vishing, is a form of phishing that occurs over voice communications media, including voice over IP (VoIP) or POTS (plain old telephone service). A typical vishing scam uses speech synthesis software to leave voicemails purporting to notify the victim of suspicious activity in a bank or credit account, and solicits the victim to respond to a malicious phone number to verify his identity -- thus compromising the victim's account credentials.

Another mobile device-oriented phishing attack, SMS phishing -- also sometimes called SMishing or SMShing -- uses text messaging to convince victims to disclose account credentials or to install malware.

What I especially want to focus on is an obfuscation method to lure people in accessing malicious websites. The name is called homograph attacks and first time seen was on 7th of April 200 when an anonymous site publish a bogus story intimating that PairGain Technologies company (NASDAQ:PAIR) was about to be acquired for a twice its market value. The website was very similar to Bloomberg news website (most probably mirrored with HTTrack Website Copier) in order to appear authentic to unsuspecting users. Dissemination of the “news” was performed using a message posted to the Yahoo message board dedicated to PairGain. The message contain a link referred to the phony site by its numerical IP address rather than by name and thus obscured its true identity. Using the Bloomberg look and stylesheet, many readers accepted the story at face value despite its suspicious address. As a result, PairGain stock first jumped 31% and then fell drastically resulting in severe losses to investors.

A strong variant of the hoax might have used a domain named bl00mberg.com (replacing o’s with zeros). Attacks like this are relatively easy to detect, however, forthcoming Internet technologies have the potential to make such attacks much more elusive and devastating.

A new initiative, promoted by a number of Internet standards bodies including IETF and IANA, allows one to register domain names in national alphabets. Far from buzzword compliance, the initiative caters to the genuine needs of non-English speaking Internet users, who currently find it difficult to access Web sites otherwise. Several alternative implementations are currently being considered, and we can expect the standardization process to be completed soon. 

The benefits of this initiative are indisputable. Yet the very idea of such an infrastructure is compromised by the peculiarities of world alphabets. Revisiting our newspaper example, one can observe that Russian letters а,е,р,у are indistinguishable in writing from their English counterparts. Some of the letters (such as a) are close etymologically, while others look similar by sheer coincidence. For instance, Russian letter p is actually pronounced like r, but the glyphs of the two letters are identical. As it happens, Russian is not the only such language; other Cyrillic languages may cause similar collisions.

With the proposed infrastructure in place, numerous English domain names may be maliciously misspelled by substitution of non-Latin letters. For example, the Bloomberg attack could have been crafted much more skillfully, by registering a domain name “bloomberg.com”, where the letters “o” and/or “e” have been faked with Russian substitutes. Without adequate safety mechanisms, this scheme can easily mislead even the most cautious reader.

If it does sound weird, it can be scarier.

Take as a scenario when Bob the Hacker similarly mimics the name of your bank’s web site. He then uses the fresh registered domain to install an eavesdropping proxy which his job is to routes all the incoming traffic to the real site. In order to lure customers through his site, Bob posts on several prominent portals which link to the bank, substituting the bogus address for the original one. Therefore, Bob has now access to ending streams of passwords to bank accounts. Note that this plot can be in service for years, while customers unfortunate enough to have bookmarked the new link might use it forever. Since most URLs today are clicked rather than typed, the outlook becomes quite chilling.

Several approaches can be employed to guard against this kind of attack. The simplest fix would indiscriminately prohibit domain names that mix letters from different alphabets, but this will block certainly useful names like CNNenEspa?ol.com. More practically, the browser can highlight international letters present in domain names with a distinct color, although many users may find this technique overly intrusive. A more user-friendly browser may only highlight truly suspicious names, such as ones that mix letters within a single word. For additional security, the browser can use a map of identical letters to search for collisions between the requested domain and similarly written registered ones. If necessary, it would then warn the user of suspected fraud.

More reliable example: https://xn--80aa0cbo65f.com/ -> PayPal Proof of concept. (you can pay attention especially to the title of the website)

In both Firefox and Chrome, visit: https://paypal.com

Here's what they look like in those Browsers.

Firefox:

Chrome:

Pretty not cool! In Firefox, it looks like the official PayPal in the address bar. However, in Chrome, it resolves to Punycode. Why is that? It is because Chrome and Mozilla use different Internationalized Domain Name Display Algorithms. Chrome's algorithm is much stricter and more complex than Mozilla's, and includes special logic to protect against homograph attacks. Chrome checks to see if the domain name is on a gTLD and all the letters are confusable Cyrillic, then it shows Punycode in the browser rather than the Unicode characters. Chrome only changed this recently because of Xudong Zheng’s 2017 report using www.xn--80ak6aa92e.com as a POC.

However, tools are made available within github community for identifying uses of IDN Homograph Attack in the existing registered domains.

Coming back to the difference between Mozilla and Chrome, here is Chrome’s statement in support of thei display algorithm, however an nicely summarizes the tradeoffs as play: We want to prevent confusion, while ensuring that users across languages have a great experience in Chrome. Displaying either punycode or a visible security warning on too wide of a set of URLs would hurt web usability for people around the world.

The internet is full of these tradeoffs around accessibility versus security. As users and maintainers of this wonderful place, I find conversations like these to be one of the best parts of building our world together and use it conscientiously.

Sorry for the long post, usually small steps add up to complete big journeys... more to come.