IDN homograph attack - Domain Spoofing

Taking a look at how IDN homograph attacks are done!

IDN homograph attack - Domain Spoofing

I have always wondered how malicious attackers register domains that look exactly like the original but have a slight change in the characters used. Mostly Unicode characters. I recently sank some time into figuring out how this attack works with the various characters. I eventually succeeded in my attempts.

I now own ȧpple.com and ḟacebook.com. If you were to open the link on safari or firefox, it would appear how its shown above. However, if you were to open the link with any other chromium browser, you would be seeing the ASCII version of it. Here's what happens in the background and how I did it.

Background

A hostile actor can fool computer users about what distant system they are connecting with via an internationalized domain name (IDN) homograph attack. There are a ton of character look-alikes that can be used to perform such attacks. For example, the a in apple.com can be replaced with the Cyrillic character "а". Or it could even be replaced with the Latin Extended Additional character "ȧ". Which is what I've done in my POC domains. If you're interested, check this out!

Punycode

You may wonder how someone is able to register a domain with Unicode characters. That's where Punycode comes in handy! If you closely inspect the URL on most chromium browsers, you'll notice that I actually registered xn--acebook-js3c.com and xn--pple-pzb.com.

The characters ȧ and are seen as Unicode characters. Punycode is a Unicode encoding that uses just the ASCII character set for Internet hostnames. And this is also what allows someone to register a domain with Unicode characters.

In action

Let's take a look at how various browsers process the Punycode (by default)

Firefox

Safari

Brave/Chrome

Conclusion

Most chromium-based browsers seem to have fixed this "issue" by displaying the ASCII version and not processing the Punycode. However, Firefox and Safari don't seem to do this by default. At least from my testing. There might be more browsers I'm unaware of that do this.

Impact

If you're reading this, you are definitely will be able to pick out the difference and catch this. Its the general public we have to be worried about. This attack creates a lot of possibilities for phishing attacks. From a distance, people might not be able to tell the difference and end up giving up their credentials.

Fix

The most obvious answer would be to use a password manager. Password managers associate the domains with your credentials. This stops a look-alike domain from stealing your credentials!

The temporary solution for Firefox users would be to head to About -> Config and set network.IDN_show_punycode to True . This would ensure that Firefox shows the same URL as other chromium browsers!

POC

Access these links on Firefox/Safari to see the effect!

http://ȧpple.com/

http://ḟacebook.com/

For those interested

--------------------------------------------------------------------------------------------
[Steps to reproduce]
- Purchase a domain name. Specifically an ASCII version of "ȧpple.com" which turns out to be "xn--pple-pzb.com"
- Setup DNS records and point it to a server hosting a static site.
- Launch the latest version of Firefox and Browse to "xn--pple-pzb.com"
--------------------------------------------------------------------------------------------
[Actual Results]
- Firefox processes "xn--pple-pzb.com" in the address bar and displays the Unicode version, "ȧpple.com" in the address bar to the end-user.