Phishers Specialize in Using Loopholes: IDN Homographic Attacks

In March of this year brand owners operating an ecommerce presence on the Internet became generally aware of a buggy issue in how Internationalized Domain Names (IDNs) are displayed in the address bar of a browser. Dependent upon the domain name, and language used, a user could incorrectly believe they were at a legitimate site.

For example, consider the domain names: pay.com and рау.com. Yes, there IS a difference. The second domain name is made up entirely of Cyrillic Russian letters to the left of the dot, making the two domains visually indistinguishable. This is the trick: depending on the web browser being used, the difference may only become evident if the punycode is displayed in the web address bar.  Punycode” is a way to translate IDNs to Latin characters supported by the domain name system which simply makes the IDN registration possible and are characterized by a specific four character prefix (xn--) .  The name given to scamming using visually similar or identical IDN registrations is known as IDN homographic attacks.

Most organizations managing a domain portfolio that has a good mix of ccTLDs (Country Code Top Level Domains) probably already own a few Internationalized Domain Names (IDNs) or at least have considered them at some point. IDNs allow people around the globe to use domain names in different languages and scripts such as Cyrillic and Chinese.

From a marketing perspective a company may choose not to invest in IDNs.  However from a defensive perspective owning strategic IDNs could potentially save headaches down the road. As with many areas of the internet IDNs have not escaped the threat actor’s radar.  What makes IDNs possible also leaves room for threat actors to create confusion employing methods that are devious enough to confuse even the savviest Internet user.

Most of the internet search engines have addressed this by reflecting the domain name accurately on the web address bar meaning рау.com vs. http://xn--80a5ak.com/.  Phishing sites utilizing this attack are just as likely to be detected as any other phishing site due to content email sending behavior and all other signals that generally indicate phishing activity is present. Brand owners who utilize a domain registration watching service such as MarkMonitor’s Early Warning System can choose to proactively monitor for the punycode translation of any common IDNs not already registered.

A good source for more detail about this issue is in this post from The Chromium Projects: https://www.chromium.org/developers/design-documents/idn-in-google-chrome. Though most of the post is specific to Chrome the article also discusses the behavior of the other major browsers.