{"id":9734,"date":"2017-10-06T08:10:04","date_gmt":"2017-10-06T16:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/06\/news-3507\/"},"modified":"2017-10-06T08:10:04","modified_gmt":"2017-10-06T16:10:04","slug":"news-3507","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/06\/news-3507\/","title":{"rendered":"Out of character: Homograph attacks explained"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Fri, 06 Oct 2017 15:00:10 +0000<\/strong><\/p>\n

In April, Xudong Zheng, a security enthusiast based in New York,\u00a0found<\/a> a flaw in some modern browsers in the way they handle domain names. While Chrome<\/a>, Firefox<\/a>, and Opera<\/a> already have security measures in place to cue users that they might be visiting a destination they thought was legitimate, at that time these browsers did not flag a fake domain name that used all Latin look-alike characters taken from another foreign language.\u00a0Zheng demonstrated this when he created and registered a\u00a0proof-of-concept (PoC)<\/a> page for the domain, \u0430\u0440\u0440\u04cf\u0435.com, which was written in pure Cyrillic characters.<\/p>\n

What is a homograph attack?<\/h3>\n

A homograph attack is a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. This attack has some known aliases: homoglyph attack,\u00a0script spoofing, and homograph domain name spoofing.\u00a0<\/em>Characters\u2014i.e., letters and numbers\u2014that look alike are called homoglyphs<\/em> or\u00a0homographs<\/em>, thus the name of the attack. Examples of such are the\u00a0Latin small letter O (U+006F) and the Digit zero (U+0030). Hypothetically, one might register bl00mberg.com<\/em>\u00a0or g00gle.com<\/em> and get away with it. But in this day and age, such simple character swaps could be easily detected.<\/p>\n

In an internationalized domain name (IDN)<\/a> homograph attack, a threat actor creates and registers one or several fake domains using at least one look-alike character from a different language. Again, hypothetically, one might register g\u03bf\u03bfgle.com<\/em>, but not before swapping the Latin small letter O (U+006F) with the Greek small letter Omicron (U+03BF).<\/p>\n

Zheng’s PoC is another example of an IDN homograph attack, so let’s list down each character he used to illustrate how this particular attack can be highly successful and dangerous if used in the wild. Interestingly, an operating system’s typeface of choice could make it easy or difficult for users to visually differentiate non-Latin characters from Latin ones.<\/p>\n

\"\"<\/p>\n

Table 1: We used\u00a0Segoe UI<\/a>, Microsoft’s system-wide typeface, here.<\/em><\/p>\n

To the human eye, these Cyrillic glyphs can easily be confused with their Latin counterparts. Computers, however, read these confusables differently, as we can see from the different hex codes assigned to them.<\/p>\n

\"\"<\/p>\n

Table 2: We used San Francisco<\/a>, Apple’s system-wide typeface, here. It’s worth noting that OSX distinguishes the Cyrillic small letter Palochka from the Latin small letter L; however, it cannot show the difference between the Latin small letter L with the Latin capital letter I, as per the text “Cyrillic small letter Ie”.<\/em><\/p>\n

According to this bug report<\/a>, it seems that even the system-wide font for Linux doesn’t distinguish confusable characters either.<\/p>\n

The use of all-Cyrillic glyphs\u2014or any other non-Latin characters for this matter\u2014for domain names isn’t the problem. IDN has made it possible for internet users around the globe to create and access domains using their native language scripts. The problem is when these glyphs are misused to deceive internet users.<\/p>\n

Is this a new form of online threat?<\/h3>\n

Homograph attacks have been around for years. As far as we know, Zhang’s PoC was the first of its kind to make headlines and spark a conversation among internet users.<\/p>\n

Below are other examples of\u00a0homographed domains and how they were used:<\/p>\n