[UA-discuss] UASG Response to WordFence IDN Phishing concerns

Edmon Chung edmon at registry.asia
Wed Apr 26 12:07:26 UTC 2017 

Should consider including reference to:

 

https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf

Only 10 of the 42,624 domain names we studied were IDNs, and only one was a homographic attack.

 

https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf

Eighty-two of the 82,163 domain names were internationalized domain names (IDNs), and none were homographic attacks.

 

https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf

Seventy-eight of the 53,685 domain names were internationalized domain names (IDNs), and three of them were homographic attacks.

 

And this is certainly not a new issue:

 

https://www.google.com/url?sa=t <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjwwqzBhcLTAhWIVbwKHShHA9kQFggtMAE&url=https%3A%2F%2Fwww.symantec.com%2Fcontent%2Fdam%2Fsymantec%2Fdocs%2Fsecurity-center%2Farchives%2Fintelligence-quarterly-oct-09-en.pdf&usg=AFQjCNGu8162_PXXqnhfHjAQfSUAqYaEXw> &rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjwwqzBhcLTAhWIVbwKHShHA9kQFggtMAE&url=https%3A%2F%2Fwww.symantec.com%2Fcontent%2Fdam%2Fsymantec%2Fdocs%2Fsecurity-center%2Farchives%2Fintelligence-quarterly-oct-09-en.pdf&usg=AFQjCNGu8162_PXXqnhfHjAQfSUAqYaEXw

 

 

www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_08-2011.en-us.pdf <http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_08-2011.en-us.pdf> 

 

Edmon

 

 

 

From: ua-discuss-bounces at icann.org [mailto:ua-discuss-bounces at icann.org] On Behalf Of Lars Steffen
Sent: Wednesday, 26 April 2017 18:15 PM
To: Andrei Kolesnikov <andrei at rol.ru>; Don Hollander <don.hollander at icann.org>
Cc: Dr. AJAY D A T A <ajay at data.in>; tan tanakadennis via ua-discuss <ua-discuss at icann.org>
Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns

 

Hi all, 

A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…?

Thank you,

Lars

 

Von: ua-discuss-bounces at icann.org [mailto:ua-discuss-bounces at icann.org] Im Auftrag von Andrei Kolesnikov
Gesendet: Mittwoch, 26. April 2017 12:06
An: Don Hollander <don.hollander at icann.org>
Cc: Dr. AJAY D A T A <ajay at data.in>; tan tanakadennis via ua-discuss <ua-discuss at icann.org>
Betreff: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns

 

Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes.

I definitely don't support  overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) 

--andrei

 

2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander at icann.org <mailto:don.hollander at icann.org> >:

I would expect a fair number of ccTLDs where it could be an issue as well.

 

Andrei:  What about ccTLDs in other Cyrillic script communities?  Have they taken the same precautions as .ru?

 

 

D

 

On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay at data.in <mailto:ajay at data.in> > wrote:

 

Exactly Andrie. Thank you for confirming the same. 

I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic. 

 

So basically it looks like .com problem. Any other examples other than .com ?  It narrows down the problem to solve. 

Thanks. 

Dr. Ajay DATA  | Founder & CEO 

Get email id like  <mailto:???@????.????> अजय@डाटा.भारत in your own language,
visit  <http://www.xgenplus.com/> www.xgenplus.com 

 


  _____  


From: Andrei Kolesnikov <andrei at rol.ru <mailto:andrei at rol.ru> >  MailId : [68484721]
To: Don Hollander <don.hollander at icann.org <mailto:don.hollander at icann.org> >
Cc: "Dr. AJAY D A T A" <ajay at data.in <mailto:ajay at data.in> >,tan tanakadennis via ua-discuss <ua-discuss at icann.org <mailto:ua-discuss at icann.org> >
Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Date: 26 Apr 2017 02:16:05 PM 

Don, 
there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. 

In IDN .РФ in Russia only Cyrillic allowed. 
This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. 

--andrei

 

2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander at icann.org <mailto:don.hollander at icann.org> >:

Hi Andrei: 

 

What about at the ccTLD?  idn.ru <http://idn.ru/> ?   Does .ru also allow ASCII? 

 

Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?

 

D

 

On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei at rol.ru <mailto:andrei at rol.ru> > wrote:

 

most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=Aumtm9oLaw_1FAQZ4MvKpmNHj3khbV5zlM_VGiARFFQ&e=> 

Basically most of the confusing cases discussed above are from .com

--andrei

 

2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay at data.in <mailto:ajay at data.in> >:

Hello Don, 

Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts.  I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved. 

Thanks. 

 

Dr. Ajay DATA  | Founder & CEO 

Get email id like  <mailto:???@????.????> अजय@डाटा.भारत in your own language,
visit  <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=-y6ACRLtO7BC6nXjQGKJQgFQOCdSIe6PZqjZMKRTGXc&e=> www.xgenplus.com[xgenplus.com] 

 


  _____  


From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss at icann.org <mailto:ua-discuss at icann.org> >  MailId : [68456683]
To: Don Hollander <don.hollander at icann.org <mailto:don.hollander at icann.org> >,"ua-discuss at icann.org <mailto:ua-discuss at icann.org> " <ua-discuss at icann.org <mailto:ua-discuss at icann.org> >
Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Date: 25 Apr 2017 06:28:22 PM 

 

Don, my comments enclosed

 

Thanks

-Dennis

 

From: <ua-discuss-bounces at icann.org <mailto:ua-discuss-bounces at icann.org> > on behalf of Don Hollander <don.hollander at icann.org <mailto:don.hollander at icann.org> >
Date: Monday, April 24, 2017 at 5:40 PM
To: "UA-discuss at icann.org <mailto:UA-discuss at icann.org> " <ua-discuss at icann.org <mailto:ua-discuss at icann.org> >
Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns

 

Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.

 

We want to get feedback from the community on this document by Thursday UTC.

 

So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments.   If you have comments or suggestions, please share them to this group.

 

Don

 

 

 

IDNs and Phishing: What You Need to Know

By TBD at UASG 

 

Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources_pages_idn-2D2012-2D02-2D25-2Den&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=JGHMSOqc_3GaqYY6Sf8m9MBfj3dj9vTRIsoi3E_9KRc&e=>  (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_ASCII&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=yfwSeTzAiHcLTq4jEae3TOx116_t2m_mn8vT4UOo7Go&e=>  “a” look virtually identical. This technique is known as a homograph attack.  

 

Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label.

 

While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites. 

 

Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=VMxJkqVb1W-ZyIEhQREIQRg3LsygAashMrgpllm7Qs4&e=>  commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.  

 

The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=fHMruCNtXCtlHyAJqUQ0xMY3bJLSKhk8h77uH_2ctvk&e=>  or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=YqvahA1bKLAZn3Ywt6hgEEjSlYv9iV1zX3u3qDUzvXE&e=>  to learn more. 

 

 





  _____  






  _____  


[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system.

Do not Remove:
[HID]20170425182821379[-HID] 




-- 

Andrey Kolesnikov

RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=bzXSVwk1DZEFet4B2d2K-x7-PI4e37O64WojUXqaNCM&e=> 

 

 

Don Hollander 

Universal Acceptance Steering Group

Skype: don_hollander

 




-- 

Andrey Kolesnikov

RIPN.NET <http://ripn.net/> 

 



 

Don Hollander

Universal Acceptance Steering Group

Skype: don_hollander

 

 

 




-- 

Andrey Kolesnikov

RIPN.NET <http://RIPN.NET> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170426/230fe4d6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~WRD039.jpg
Type: image/jpeg
Size: 823 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20170426/230fe4d6/WRD039.jpg>

More information about the UA-discuss mailing list