When Is Apple.com Not Apple.com? Faked Punycode Domains Running Rampant

Monday, May 01, 2017

Magni R. Sigurdsson

B2469d3b365f73d091fac06f227950e2

We have seen a significant uptick in phishing attacks using “Punycode” to exploit a basic vulnerability in web browsers, with phishers able to have the address bar represent what (to the naked, Roman alphabet-reading eye) appear to be correct domains for prominent websites like icloud.com, gmail.com, apple.com, and hotmail.com – but they’re not! The vulnerability affects Mozilla Firefox and un-updated Opera and Chrome web browsers, and makes it additionally difficult for users to identify a faked web page without checking the SSL certificate or carefully inspecting the complete URL.

What’s Punycode?

Punycode is a way to represent Unicode within the limited character subset of ASCII used for Internet host names. This is done to allow the display of internationalized domain names (IDNs) in languages that don’t use the Latin alphabet (or use variations of it). For example the Punycode domain “xn--bcher-kva.ch“ will show up in your browser as“Bücher.ch.“  The potential to abuse this functionality has long been known to cybercriminals, mixing characters from multiple languages – and Internet browsers in response were upgraded to display potentially confusing domains in the “xn-…” form.

However, there’s a new twist – if every character is replaced with a similar character from a single foreign language, the domain name will be shown – potentially leading to confusion among users that can be exploited for phishing attacks. Xudong Zheng, a Chinese security researcher, discovered the vulnerability, and as a proof-of-concept set up the web page “xn--80ak6aa92e.com,” which the browser translates to “https://www.аррӏе.com/.”

How Do You Spell Paypal?

For our part, we’ve seen a significant increase in Punycode domains over the past few days meant to exploit the newfound vulnerability:

For example, by using the Cyrillic “a” the attacker is able to fake the domain “paypal.com.” Usually you can spot a fake phishing website by its domain, but in this case the domain will be displayed to the user as it’s supposed to be.

Figure 1:  “paypḁl.com” that has already been blocked by Google.

Here’s an example for “hotmail.com”, where the user clicks a link that has this URL: http://www.xn--hotmal-t9a.com/ and the browser translates this to “hotmaıl.com.”

Capture1_copy.png

Figure 2:. “hotmaıl.com” displayed as the main domain

When the “Sign in Hotmail” link is clicked, the user is taken to a phishing page to choose an email provider from a drop-down list (Figure 3). After selecting Gmail, we were asked to install a chrome extension (Figure 4). The extension hijacks the browser and changes the startup page, installs a toolbar and will display ads in searches and try to have the user install a “PC Cleaner tool” that’s supposed to remove adware and malware

Capture2.PNG

Figure 3: E-mail provider selected.

Capture3.PNG

Figure 4: User is asked to install the browser extension.

What Can I Do?

In the latest version of Google Chrome, this vulnerability has been fixed (version 58.0.3029.81), as it has in Opera (Version 44.0.2510.1449). To disable Punycode support in Mozilla Firefox, type about:config in the Firefox address bar and press enter. Then type network.IDN_show_punycode and set it to true by double clicking it.

About the author: Magni Reynir Sigurdsson is a senior malware researcher at Cyren, an internet Security as a Service provider that protects users against cyber attacks and data breaches through cloud-based web security, email security, DNS security and cloud sandboxing solutions.

Possibly Related Articles:
31536
Phishing
Phishing Punycode web browser Unicode Domain Phishing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.