<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 12/29/2018 10:51 AM, Asmus Freytag
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3e57fd07-4aba-cb3f-5c18-f54daa110425@ix.netcom.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">I ran an analysis using an early
draft of the Root Zone LGR for Latin.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Of the about 270 unique labels
distributed across the sample domain names in the first blog
entry posted by Jim, I found that a good 20% or so are excluded
because the Root Zone does not support historic or purely
phonetic code points.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">After subtracting those, most of the
phishing attempts (except 2) were based on "random umlaut
disease" or "rock-dots". That is, substituting a random accented
letter.</div>
</blockquote>
<p>The Draft LGR had a bug; actual count of the exceptions is about
7. Other conclusions unaffected.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:3e57fd07-4aba-cb3f-5c18-f54daa110425@ix.netcom.com">
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Of these, the most dangerous ones are
the ones with the least visible diacritics (dot below, or dot
above, in that order). These can be hard to detect even to users
familiar with accents. The dot below also happens to clash with
URL underlining.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Other accents will fool North
American users, but would probably be no worse in their effects
than standard misspellings for most other users of the Latin
script.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">The sample included two all-Cyrillic
labels, something that wouldn't be supported in the Root. It's
not clear why so few: either the sampled target domains don't
lend themselves to this attack or some of the possible counter
measures (like flagging mixed script labels) are already having
a deterrent effect.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">A./<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">PS: here's the list of code points
from the sample data that will not be supported in the Root
Zone:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">
<div class="moz-forward-container">{0138 0163 0185 01BF 01E5
01F5 0227 022F 0251 0261 027E 043A 1E03 1E05 1E07 1E0B 1E1F
1E23 1E57 1E5B 1E8B 1E93}</div>
<div class="moz-forward-container"><br>
</div>
<div class="moz-forward-container">0251 is the bowl a and 01BF
is the WYNN (looks like a P) used in this attack:</div>
<div class="moz-forward-container"><br>
</div>
<div class="moz-forward-container">
<pre class="hl"><a class="moz-txt-link-abbreviated" href="http://www.xn--le-m1aa24e.com" moz-do-not-send="true">www.xn--le-m1aa24e.com</a>. --> <a class="moz-txt-link-abbreviated" href="http://www.ɑƿƿle.com" moz-do-not-send="true">www.ɑƿƿle.com</a>.</pre>
</div>
<div class="moz-forward-container"><br>
</div>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 12/28/2018 12:52 PM, Jim DeLaHunt
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5043ac25-0346-bbc2-0ec1-39def10221ba@jdlh.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<p>Hello, UA friends:</p>
<p>North America is in the midst of a holiday season right now,
and I hope everyone on this list with holidays has been
enjoying them — and that those without holidays right now get
them soon. :-)</p>
<p>I'd like to pass on links to two blog posts from Farsight
Security about Internationalised Domain Name-based homograph
attacks. I don't see that these were shared with this list
when they appeared. I don't agree with everything in these
blogs, but I do like to practice my ability to argue in favour
of IDN use and against IND-based fear-mongering. These blogs
are useful practice material.</p>
<p><br>
</p>
<p><i>Touched by an IDN: Farsight Security shines a light on the
Internet's oft-ignored and undetected security problem<br>
</i> Wednesday, January 17, 2018 By Mike Schiffman<span
itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">
(Farsight Security)<br>
<<a moz-do-not-send="true"
href="https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/">https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/</a>><br>
"</span></span>Committed to making online interactions
safer for all users, Farsight Security regularly investigates
systemic threats to the Internet. The design and
implementation of the DNS <a
href="https://en.wikipedia.org/wiki/Internationalized_domain_name"
moz-do-not-send="true">Internationalized Domain Name (IDN)</a>
system poses such a threat – one well known by DNS industry
insiders and security professionals but not known or well
understood by the wider public. The purpose of this research
is to bridge that knowledge gap – to offer a keyhole glimpse
into the shadowy world of brand lookalike abuse via IDN
homographs.</p>
<p>"Registration of confusing Internet DNS names for the purpose
of misleading consumers is not news. Every user of the
Internet learns – often the hard way – that much of the email
they receive is forged, and many of the World Wide Web links
they are prompted to click on are malicious. Yet IDN, a DNS
standard representing non-English domain names, allows
forgeries to be nearly undetectable by either human eyes or
human judgement, or by traditional Internet user interface
tools such as email clients and web browsers.</p>
<p>"Using its real-time DNS network, Farsight Security conducted
new research to determine the prevalence and reach of <a
href="https://en.wikipedia.org/wiki/Homograph"
moz-do-not-send="true">homographs</a>, in the form of IDN
lookalike domains, across the Internet. Specifically, Farsight
examined 125 top brand domain names, including large content
providers, social networking giants, financial websites,
luxury brands, cryptocurrency exchanges and other popular
websites. Our findings underscore that the potential security
risk posed by IDN homographs is significant. Any ultimate
defense against this variant of Internet forgery will rely on
Internet governance and security automation. It is to inform
the need for such solutions that we offer the findings below.<span
itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">"</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name"><br>
</span></span></p>
<p><i>Free Airline Tickets: The Latest Internationalized Domain
Name-based Homograph Scam</i><span class="text-muted"><time
datetime="2018-08-13T19:37:03+00:00"
itemprop="datePublished"><br>
Monday, August 13, 2018</time> </span> By <span
itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">Mike
Schiffman (Farsight Security)<br>
<<a moz-do-not-send="true"
href="https://www.farsightsecurity.com/2018/08/13/mschiffm-freeticketsscam/">https://www.farsightsecurity.com/2018/08/13/mschiffm-freeticketsscam/</a>><br>
"As part of our continuous monitoring of the
Internationalized Domain Name (IDN) space, Farsight
recently found evidence of what appears to be an ongoing
IDN homograph-based phishing campaign targeting mobile
users. The suspected phishing websites purport to be those
of commercial airline carriers offering free tickets, but,
instead, appear to subject the user to a bait-and-switch
scam."<br>
</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name"><br>
</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">I
will also mention again Farsight Security's report on IDN
Homograph attacks. This was discussed on this list
(Subject: <i>Re: [UA-discuss] Once again</i>, Date: Wed,
27 Jun 2018 15:56:37 +0000 etc.)</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name"><i><br>
Farsight Security Global Internationalized Domain Name
Homograph Report, Q2/2018</i><br>
<<a moz-do-not-send="true"
href="https://info.farsightsecurity.com/farsight-idn-research-report">https://info.farsightsecurity.com/farsight-idn-research-report</a>><br>
"IDN ReportInternationalized Domain Names (IDNs) enable a
multilingual Internet. Using IDN standards and protocols,
Internet-users are able to register and use domain names
in scripts other than Basic Latin. Yet IDNs are often
abused by cybercriminals to conduct malicious activities,
such as phishing or malware distribution.<br>
<br>
In this new research report, "Farsight Security Global
Internationalized Domain Name Homograph Report Q2/2018,"
Farsight Security examines the prevalence and distribution
of IDN homographs across the Internet. We examined 100
Million IDN resolutions over a 12-month period with a
focus on over 450 top global brands across 11 sectors
including finance, retail, and technology."</span></span></p>
<p><span itemprop="author" itemscope=""
itemtype="http://schema.org/Person"><span itemprop="name">Best
regards and happy new year, <br>
—Jim DeLaHunt, Vancouver, Canada<br>
</span></span></p>
<pre class="moz-signature" cols="72">--
--Jim DeLaHunt, <a class="moz-txt-link-abbreviated" href="mailto:jdlh@jdlh.com" moz-do-not-send="true">jdlh@jdlh.com</a> <a class="moz-txt-link-freetext" href="http://blog.jdlh.com/" moz-do-not-send="true">http://blog.jdlh.com/</a> (<a class="moz-txt-link-freetext" href="http://jdlh.com/" moz-do-not-send="true">http://jdlh.com/</a>)
multilingual websites consultant
355-1027 Davie St, Vancouver BC V6E 4L2, Canada
Canada mobile +1-604-376-8953
</pre>
</blockquote>
<p><br>
</p>
</blockquote>
<p><br>
</p>
</body>
</html>