[UA-discuss] [FYI] Two IDN Homograph blog posts from FarsightSecurity

Asmus Freytag asmusf at ix.netcom.com
Sat Dec 29 18:51:13 UTC 2018

I ran an analysis using an early draft of the Root Zone LGR for Latin.

Of the about 270 unique labels distributed across the sample domain 
names in the first blog entry posted by Jim, I found that a good 20% or 
so are excluded because the Root Zone does not support historic or 
purely phonetic code points.

After subtracting those, most of the phishing attempts (except 2) were 
based on "random umlaut disease" or "rock-dots". That is, substituting a 
random accented letter.

Of these, the most dangerous ones are the ones with the least visible 
diacritics (dot below, or dot above, in that order). These can be hard 
to detect even to users familiar with accents. The dot below also 
happens to clash with URL underlining.

Other accents will fool North American users, but would probably be no 
worse in their effects than standard misspellings for most other users 
of the Latin script.

The sample included two all-Cyrillic labels, something that wouldn't be 
supported in the Root. It's not clear why so few: either the sampled 
target domains don't lend themselves to this attack or some of the 
possible counter measures (like flagging mixed script labels) are 
already having a deterrent effect.


PS: here's the list of code points from the sample data that will not be 
supported in the Root Zone:

{0138 0163 0185 01BF 01E5 01F5 0227 022F 0251 0261 027E 043A 1E03 1E05 
1E07 1E0B 1E1F 1E23 1E57 1E5B 1E8B 1E93}

0251 is the bowl a and 01BF is the WYNN (looks like a P) used in this 

www.xn--le-m1aa24e.com.               -->        www.ɑƿƿle.com.

On 12/28/2018 12:52 PM, Jim DeLaHunt wrote:
> Hello, UA friends:
> North America is in the midst of a holiday season right now, and I 
> hope everyone on this list with holidays has been enjoying them — and 
> that those without holidays right now get them soon. :-)
> I'd like to pass on links to two blog posts from Farsight Security 
> about Internationalised Domain Name-based homograph attacks. I don't 
> see that these were shared with this list when they appeared. I don't 
> agree with everything in these blogs, but I do like to practice my 
> ability to argue in favour of IDN use and against IND-based 
> fear-mongering. These blogs are useful practice material.
> /Touched by an IDN: Farsight Security shines a light on the Internet's 
> oft-ignored and undetected security problem
> / Wednesday, January 17, 2018 By Mike Schiffman(Farsight Security)
> <https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/>
> "Committed to making online interactions safer for all users, Farsight 
> Security regularly investigates systemic threats to the Internet. The 
> design and implementation of the DNS Internationalized Domain Name 
> (IDN) <https://en.wikipedia.org/wiki/Internationalized_domain_name> 
> system poses such a threat – one well known by DNS industry insiders 
> and security professionals but not known or well understood by the 
> wider public. The purpose of this research is to bridge that knowledge 
> gap – to offer a keyhole glimpse into the shadowy world of brand 
> lookalike abuse via IDN homographs.
> "Registration of confusing Internet DNS names for the purpose of 
> misleading consumers is not news. Every user of the Internet learns – 
> often the hard way – that much of the email they receive is forged, 
> and many of the World Wide Web links they are prompted to click on are 
> malicious. Yet IDN, a DNS standard representing non-English domain 
> names, allows forgeries to be nearly undetectable by either human eyes 
> or human judgement, or by traditional Internet user interface tools 
> such as email clients and web browsers.
> "Using its real-time DNS network, Farsight Security conducted new 
> research to determine the prevalence and reach of homographs 
> <https://en.wikipedia.org/wiki/Homograph>, in the form of IDN 
> lookalike domains, across the Internet. Specifically, Farsight 
> examined 125 top brand domain names, including large content 
> providers, social networking giants, financial websites, luxury 
> brands, cryptocurrency exchanges and other popular websites. Our 
> findings underscore that the potential security risk posed by IDN 
> homographs is significant. Any ultimate defense against this variant 
> of Internet forgery will rely on Internet governance and security 
> automation. It is to inform the need for such solutions that we offer 
> the findings below."
> /Free Airline Tickets: The Latest Internationalized Domain Name-based 
> Homograph Scam/
> Monday, August 13, 2018 By Mike Schiffman (Farsight Security)
> <https://www.farsightsecurity.com/2018/08/13/mschiffm-freeticketsscam/>
> "As part of our continuous monitoring of the Internationalized Domain 
> Name (IDN) space, Farsight recently found evidence of what appears to 
> be an ongoing IDN homograph-based phishing campaign targeting mobile 
> users. The suspected phishing websites purport to be those of 
> commercial airline carriers offering free tickets, but, instead, 
> appear to subject the user to a bait-and-switch scam."
> I will also mention again Farsight Security's report on IDN Homograph 
> attacks. This was discussed on this list (Subject: /Re: [UA-discuss] 
> Once again/, Date: Wed, 27 Jun 2018 15:56:37 +0000 etc.)
> /
> Farsight Security Global Internationalized Domain Name Homograph 
> Report, Q2/2018/
> <https://info.farsightsecurity.com/farsight-idn-research-report>
> "IDN ReportInternationalized Domain Names (IDNs) enable a multilingual 
> Internet. Using IDN standards and protocols, Internet-users are able 
> to register and use domain names in scripts other than Basic Latin. 
> Yet IDNs are often abused by cybercriminals to conduct malicious 
> activities, such as phishing or malware distribution.
> In this new research report, "Farsight Security Global 
> Internationalized Domain Name Homograph Report Q2/2018," Farsight 
> Security examines the prevalence and distribution of IDN homographs 
> across the Internet. We examined 100 Million IDN resolutions over a 
> 12-month period with a focus on over 450 top global brands across 11 
> sectors including finance, retail, and technology."
> Best regards and happy new year,
>      —Jim DeLaHunt, Vancouver, Canada
> -- 
>      --Jim DeLaHunt,jdlh at jdlh.com      http://blog.jdlh.com/  (http://jdlh.com/)
>        multilingual websites consultant
>        355-1027 Davie St, Vancouver BC V6E 4L2, Canada
>           Canada mobile +1-604-376-8953

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181229/5336d399/attachment.html>

More information about the UA-discuss mailing list