Q
Problem solve Get help with specific problems with your technologies, process and projects.

How are hackers using Unicode domains for spoofing attacks?

A proof of concept showed that hackers can use Unicode domains to make phishing sites look legitimate. Expert Matthew Pascucci explains how this spoofing attack works.

A security researcher published a proof-of-concept attack that leverages vulnerabilities regarding Unicode domains...

in major web browsers. According to the researcher, attackers can use Unicode domains to make phishing sites nearly indistinguishable from legitimate sites. What's the issue here, and are there any tactics to better detect these malicious sites?

Trust is a necessity in cybersecurity, and it's one of the main reasons attackers continually try to exploit this emotion when assaulting networks.

We put a lot of time and defensive effort into verifying that a particular party on the internet is who they say they are, and we do this with good reason. But because of this need for trust, attackers rely on spoofing as a standard method of exploitation. The more an attacker can deceive someone, the higher his probability of success, or cover, while attempting an exploit.

Here is where the recent proof of concept that shows attackers can abuse Unicode domains to look like legitimate sites comes into play. Attackers are able to trick users into clicking on particular links that look like they are from legitimate domains, but that actually lead to malicious sites.

This deception works because many letters look very similar within Unicode domains, especially within Latin and Cyrillic character sets. There is no distinguishable difference between many of these letters to the human eye, but computers treat them differently, and attackers use this to their advantage.

By registering these Punycode domains -- domains rendered in the American Standard Code for Information Interchange (ASCII) after having non-ASCII characters associated with them -- an attacker can have the domain xn--tst-6la.com registered, which resolves to test.com in ASCII. These types of spoofing attacks are called homograph attacks.

This particular issue was deemed a bug by Internet Explorer, Chrome and Opera, all of which either pushed out updates to remediate the issue or are working to have one released shortly. As of this time, Firefox has stated that the problem is with how registrars enable users to register domains in this manner, and it isn't taking a stance on remediating the issue. There is a workaround in the Firefox about:config settings that enables Firefox users to at least identify the malicious Punycode domains in the browser.

There will always be attackers looking to prey on your trust, and this is nothing new. This emphasizes the need to validate that URLs are only from trusted third parties, but not knowing if they're trusted is an issue. Validating SSL certificates for sites with browser plug-ins and eventually having the internet embrace Domain Name System Security Extensions can stop these types of attacks from occurring.

Spoofing is nothing new, and there will always be attackers looking to gain an advantage by misleading and deceiving users for malicious purposes. This particular attack is difficult to defend against, but with an updated browser that remediates the spoofing ability of Punycode, and by being extra diligent with third-party links, you'll have the best chance to avoid it.

In the meantime, update your browsers if possible, and be careful clicking on links from third-party sources.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to educate users to avoid email phishing attacks

Check out how address bar spoofing vulnerabilities can be prevented

Discover how phishing emails spoofing top-level domains can be avoided

This was last published in July 2017

Dig Deeper on Web browser security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you educate your employees about spoofing attacks?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close