On April 14th, 2017 researcher Xudong Zheng published a Proof of Concept of a Punycode attack. This attack enables attackers to mimic legitimate domains such as PayPal.com.
This blogpost was the starting point for the RedSocks Malware Intelligence Team to dig further into the subject and see if we could gather information about attacks in the wild.
Spoiler: we did.
Vulnerable Domains to IDN Homograph
RedSocks Security started an investigation to find websites vulnerable to this attack. Since this attack would mainly be employed in phishing attacks, the target must be of high value for the attacker.
RedSocks Security checked the Alexa 100 websites and top 500 fortune companies. Our investigation showed that more than 100 domains in this list are vulnerable to this attack. Among the vulnerable websites, there are financial institutions such as PayPal and Silicon Valley giants such as Cisco. To prove the concept, RedSocks Security registered the following domains and warned the owners:
The registration of these domains using any registrar is possible for any third party – essentially because registrars have no way of relating the IDN code to the true owner.
An exception during our investigation was a famous bank’s IDN equivalent code, where Google intercepted the domain registration. However, this defence is only against .com and a limited number of other domains. As shown by our registrations, we were able to register a Fortune500 company with .com top level domain.
Our objective in registering these domains was to prove to the domain owners that they are vulnerable and they must take action. An attacker, however; can forge the website of the true owner and change the links to point to a malicious URL. Since browsers show no difference in the domain name, users are unable to validate the domain. The only way to intercept the attack is to use developer tools of the web browser to see the real Punycode. This image illustrates the concept:
To prevent scamming or phishing attacks, Internet users are advised to look for SSL (or the green ‘https’ sign) to validate the webpage they are visiting. But when controlling a domain generated using Punycode a valid SSL-certificate can still be requested to assure the users that they’re accessing a secure domain. Regardless, any data input to the Punycode website would end up in attacker’s hands and not the legitimate website.
How does the Punycode attack work?
Originally domains could only consist of a set of limited characters such as A to Z (upper and lower case), digits and a hyphen encoded in US-ASCII format. Internationalized Domain Names (IDNs) were created to support domains beyond US-ASCII encoding to facilitate all web users around the globe including Japanese, Russian, Spanish, etc.
Punycode is used to encode internationalized domain names to US-ASCII. This is a reversible transformation. The transformation is required to support the current DNS infrastructure which is limited to US-ASCII. An IDN is represented by at least 1 non-US-ASCII character and can be recognised by the ‘xn--’prefix (see image below).
The danger in this lies in the fact that there are many languages that have similar-looking letters/characters that have a different Unicode. This attack method is called “IDN Homograph Attack“. For example; the Greek letter O and the Latin letter O have different Unicode’s. Thus, registering a domain including either the Greek O or Latin O result in two different domain names. While in the meantime, the browser presents these characters as being the same characters.
Although some browsers have defences against this sort of attacks embedded within their code – by using Punycode characters interchangeably, this results in illegitimate domain names passing these tests. At this moment Chrome, Firefox and Opera are vulnerable to this attack, but Chrome and Firefox have stated that they will address this issue soon.
Microsoft Edge (i.e. Internet Explorer) is considered less vulnerable. This is due to the fact that foreign languages used in this sort of attacks need to be pre-installed on the computer. If these languages are not installed, however; the attack will fail and the Punycode will be visibly displayed in the browser.
Imagine the following scenarios:
The most obvious scenario here is Phishing scams. Internet users can easily be tricked into entering log-in credentials on a website that appears to be legitimate, which is labelled as secure via an SSL-certificate accepted by the browser. This makes the possibility that attackers can steal banking credentials or divert digital bank transfers more likely.
It could for example be used to spread fake news, a very popular topic nowadays, through Punycode domains of News Organisations such as the BBC or CNN. The reality therefore is that it’s possible to share ‘news’ from a website which appears to be a legitimate, credible news source – when in reality, the fake news is being presented via a fake domain/website set up by parties wishing to sway public opinion.
Where there is software, there are software updates. Attackers could therefore, send a vendor-specific email offering an essential software update (i.e. Cisco) – which in reality is likely to be fake firmware that could snoop all network traffic.
This means that the probability that state sponsored targeted attacks succeed, become an even bigger reality.
Attacks in the Wild
At RedSocks Security we believe that this ‘trick’ might also work on threat intelligence analysis systems. Since browsers are tricked into displaying a domain name mistakenly, it is possible that generic threat detection, and analysis systems can be tricked. Because of that it comes as no surprise that companies have publicly stated they did not detect attacks in the wild.
Luckily, the RedSocks MTD is configured to detect this type of attacks. We were able to collect information about attacks in the wild and our customers are protected against those.
RedSocks Security has identified over 100 domains belonging to Alexa top 100 and Fortune500 companies that are vulnerable to this attack. Over 80% of these domains are registered using TLD such as: .com.
The IDN code yahoo.com has been registered since 2006, but is not accessible anymore. Yet, VirusTotal history shows that the IP addresses of this domain has been involved in phishing and malware campaigns. The campaign has been targeting mainly Adobe, PayPal and Apple as shown in the image below.
The address of the server has been also long involved in communication with a malware known by minefilter.exe. In this stage though, we cannot draw a definite conclusion about the malicious activities yahoo IDN-equivalent was involved in.
We did come across an archived robots.txt file that instructed search engines not to index the website’s content.
What Should Domain Owners do?
During our investigation, we have registered domain names of several well-known brands. We’ve done this to prove our findings and to make sure malicious attackers won’t be able to register those domains. During the course of our investigation we have contacted the appropriate owners of the brands to inform them about our actions and collaborate.
If you are the owner of a brand that could be vulnerable to this type of attack we recommend you register the Punycode domain of monitor the existence of the domain.
What Could Users do?
If you are a Firefox user you can go to about:config and set network.IDN_show_punycode to true. By enabling this setting the domain will be displayed in its Punycode form, thus enabling the user to see Punycode is used in the domain (source).
Chrome is currently rolling out a patch to address this issue. But it should be noted that it is hard attribute where this problem originates and to create a fraudulent solution to address this type of attack.
Punycode attacks have been observed by the RedSocks Malware Intelligence Team in the wild. Although the browser vendors have said that they intend to address these attacks – it is a type of attack that isn’t easily mitigated and therefore, likely one to stay.
Written by Sina Davanian, Malware Researcher @ RedSocks Security