<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I ran an analysis using an early draft
of the Root Zone LGR for Latin.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Of the about 270 unique labels
distributed across the sample domain names in the first blog entry
posted by Jim, I found that a good 20% or so are excluded because
the Root Zone does not support historic or purely phonetic code
points.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">After subtracting those, most of the
phishing attempts (except 2) were based on "random umlaut disease"
or "rock-dots". That is, substituting a random accented letter.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Of these, the most dangerous ones are
the ones with the least visible diacritics (dot below, or dot
above, in that order). These can be hard to detect even to users
familiar with accents. The dot below also happens to clash with
URL underlining.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Other accents will fool North American
users, but would probably be no worse in their effects than
standard misspellings for most other users of the Latin script.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">The sample included two all-Cyrillic
labels, something that wouldn't be supported in the Root. It's not
clear why so few: either the sampled target domains don't lend
themselves to this attack or some of the possible counter measures
(like flagging mixed script labels) are already having a deterrent
effect.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">A./<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">PS: here's the list of code points from
the sample data that will not be supported in the Root Zone:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">
<div class="moz-forward-container">{0138 0163 0185 01BF 01E5 01F5
0227 022F 0251 0261 027E 043A 1E03 1E05 1E07 1E0B 1E1F 1E23 1E57
1E5B 1E8B 1E93}</div>
<div class="moz-forward-container"><br>
</div>
<div class="moz-forward-container">0251 is the bowl a and 01BF is
the WYNN (looks like a P) used in this attack:</div>
<div class="moz-forward-container"><br>
</div>
<div class="moz-forward-container">
<pre class="hl"><a class="moz-txt-link-abbreviated" href="http://www.xn--le-m1aa24e.com">www.xn--le-m1aa24e.com</a>. --> <a class="moz-txt-link-abbreviated" href="http://www.ɑƿƿle.com">www.ɑƿƿle.com</a>.</pre>
</div>
<div class="moz-forward-container"><br>
</div>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 12/28/2018 12:52 PM, Jim DeLaHunt
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5043ac25-0346-bbc2-0ec1-39def10221ba@jdlh.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Hello, UA friends:</p>
<p>North America is in the midst of a holiday season right now,
and I hope everyone on this list with holidays has been enjoying
them — and that those without holidays right now get them soon.
:-)</p>
<p>I'd like to pass on links to two blog posts from Farsight
Security about Internationalised Domain Name-based homograph
attacks. I don't see that these were shared with this list when
they appeared. I don't agree with everything in these blogs, but
I do like to practice my ability to argue in favour of IDN use
and against IND-based fear-mongering. These blogs are useful
practice material.</p>
<p><br>
</p>
<p><i>Touched by an IDN: Farsight Security shines a light on the
Internet's oft-ignored and undetected security problem<br>
</i> Wednesday, January 17, 2018 By Mike Schiffman<span
itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">
(Farsight Security)<br>
<<a moz-do-not-send="true"
href="https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/">https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/</a>><br>
"</span></span>Committed to making online interactions safer
for all users, Farsight Security regularly investigates systemic
threats to the Internet. The design and implementation of the
DNS <a
href="https://en.wikipedia.org/wiki/Internationalized_domain_name"
moz-do-not-send="true">Internationalized Domain Name (IDN)</a>
system poses such a threat – one well known by DNS industry
insiders and security professionals but not known or well
understood by the wider public. The purpose of this research is
to bridge that knowledge gap – to offer a keyhole glimpse into
the shadowy world of brand lookalike abuse via IDN homographs.</p>
<p>"Registration of confusing Internet DNS names for the purpose
of misleading consumers is not news. Every user of the Internet
learns – often the hard way – that much of the email they
receive is forged, and many of the World Wide Web links they are
prompted to click on are malicious. Yet IDN, a DNS standard
representing non-English domain names, allows forgeries to be
nearly undetectable by either human eyes or human judgement, or
by traditional Internet user interface tools such as email
clients and web browsers.</p>
<p>"Using its real-time DNS network, Farsight Security conducted
new research to determine the prevalence and reach of <a
href="https://en.wikipedia.org/wiki/Homograph"
moz-do-not-send="true">homographs</a>, in the form of IDN
lookalike domains, across the Internet. Specifically, Farsight
examined 125 top brand domain names, including large content
providers, social networking giants, financial websites, luxury
brands, cryptocurrency exchanges and other popular websites. Our
findings underscore that the potential security risk posed by
IDN homographs is significant. Any ultimate defense against this
variant of Internet forgery will rely on Internet governance and
security automation. It is to inform the need for such solutions
that we offer the findings below.<span itemprop="author"
itemscope="" itemtype="http://schema.org/Person"><span
itemprop="name">"</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name"><br>
</span></span></p>
<p><i>Free Airline Tickets: The Latest Internationalized Domain
Name-based Homograph Scam</i><span class="text-muted"><time
datetime="2018-08-13T19:37:03+00:00"
itemprop="datePublished"><br>
Monday, August 13, 2018</time> </span> By <span
itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">Mike
Schiffman (Farsight Security)<br>
<<a moz-do-not-send="true"
href="https://www.farsightsecurity.com/2018/08/13/mschiffm-freeticketsscam/">https://www.farsightsecurity.com/2018/08/13/mschiffm-freeticketsscam/</a>><br>
"As part of our continuous monitoring of the
Internationalized Domain Name (IDN) space, Farsight recently
found evidence of what appears to be an ongoing IDN
homograph-based phishing campaign targeting mobile users.
The suspected phishing websites purport to be those of
commercial airline carriers offering free tickets, but,
instead, appear to subject the user to a bait-and-switch
scam."<br>
</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name"><br>
</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">I
will also mention again Farsight Security's report on IDN
Homograph attacks. This was discussed on this list (Subject:
<i>Re: [UA-discuss] Once again</i>, Date: Wed, 27 Jun 2018
15:56:37 +0000 etc.)</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name"><i><br>
Farsight Security Global Internationalized Domain Name
Homograph Report, Q2/2018</i><br>
<<a moz-do-not-send="true"
href="https://info.farsightsecurity.com/farsight-idn-research-report">https://info.farsightsecurity.com/farsight-idn-research-report</a>><br>
"IDN ReportInternationalized Domain Names (IDNs) enable a
multilingual Internet. Using IDN standards and protocols,
Internet-users are able to register and use domain names in
scripts other than Basic Latin. Yet IDNs are often abused by
cybercriminals to conduct malicious activities, such as
phishing or malware distribution.<br>
<br>
In this new research report, "Farsight Security Global
Internationalized Domain Name Homograph Report Q2/2018,"
Farsight Security examines the prevalence and distribution
of IDN homographs across the Internet. We examined 100
Million IDN resolutions over a 12-month period with a focus
on over 450 top global brands across 11 sectors including
finance, retail, and technology."</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">Best
regards and happy new year, <br>
—Jim DeLaHunt, Vancouver, Canada<br>
</span></span></p>
<pre class="moz-signature" cols="72">--
--Jim DeLaHunt, <a class="moz-txt-link-abbreviated" href="mailto:jdlh@jdlh.com" moz-do-not-send="true">jdlh@jdlh.com</a> <a class="moz-txt-link-freetext" href="http://blog.jdlh.com/" moz-do-not-send="true">http://blog.jdlh.com/</a> (<a class="moz-txt-link-freetext" href="http://jdlh.com/" moz-do-not-send="true">http://jdlh.com/</a>)
multilingual websites consultant
355-1027 Davie St, Vancouver BC V6E 4L2, Canada
Canada mobile +1-604-376-8953
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>