A security researcher published a proof-of-concept attack that leverages vulnerabilities regarding Unicode domains...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
in major web browsers. According to the researcher, attackers can use Unicode domains to make phishing sites nearly indistinguishable from legitimate sites. What's the issue here, and are there any tactics to better detect these malicious sites?
Trust is a necessity in cybersecurity, and it's one of the main reasons attackers continually try to exploit this emotion when assaulting networks.
We put a lot of time and defensive effort into verifying that a particular party on the internet is who they say they are, and we do this with good reason. But because of this need for trust, attackers rely on spoofing as a standard method of exploitation. The more an attacker can deceive someone, the higher his probability of success, or cover, while attempting an exploit.
Here is where the recent proof of concept that shows attackers can abuse Unicode domains to look like legitimate sites comes into play. Attackers are able to trick users into clicking on particular links that look like they are from legitimate domains, but that actually lead to malicious sites.
This deception works because many letters look very similar within Unicode domains, especially within Latin and Cyrillic character sets. There is no distinguishable difference between many of these letters to the human eye, but computers treat them differently, and attackers use this to their advantage.
By registering these Punycode domains -- domains rendered in the American Standard Code for Information Interchange (ASCII) after having non-ASCII characters associated with them -- an attacker can have the domain xn--tst-6la.com registered, which resolves to test.com in ASCII. These types of spoofing attacks are called homograph attacks.
This particular issue was deemed a bug by Internet Explorer, Chrome and Opera, all of which either pushed out updates to remediate the issue or are working to have one released shortly. As of this time, Firefox has stated that the problem is with how registrars enable users to register domains in this manner, and it isn't taking a stance on remediating the issue. There is a workaround in the Firefox about:config settings that enables Firefox users to at least identify the malicious Punycode domains in the browser.
There will always be attackers looking to prey on your trust, and this is nothing new. This emphasizes the need to validate that URLs are only from trusted third parties, but not knowing if they're trusted is an issue. Validating SSL certificates for sites with browser plug-ins and eventually having the internet embrace Domain Name System Security Extensions can stop these types of attacks from occurring.
Spoofing is nothing new, and there will always be attackers looking to gain an advantage by misleading and deceiving users for malicious purposes. This particular attack is difficult to defend against, but with an updated browser that remediates the spoofing ability of Punycode, and by being extra diligent with third-party links, you'll have the best chance to avoid it.
In the meantime, update your browsers if possible, and be careful clicking on links from third-party sources.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to educate users to avoid email phishing attacks
Check out how address bar spoofing vulnerabilities can be prevented
Discover how phishing emails spoofing top-level domains can be avoided
Dig Deeper on Web browser security
Related Q&A from Matthew Pascucci
Researchers found several Dnsmasq vulnerabilities that affect Google's Android operating system. Matt Pascucci explains how these flaws can be ...continue reading
After introducing HTTP Public Key Pinning to the internet two years ago, the upcoming Chrome will replace it with the Expect-CT header. Matt Pascucci...continue reading
A major SAML vulnerability was found in Slack that granted expired login credentials permission into the system. Matt Pascucci explains how this '...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.