[UA-discuss] [FYI] Two IDN Homograph blog posts from FarsightSecurity

Asmus Freytag asmusf at ix.netcom.com
Sun Dec 30 00:40:43 UTC 2018

On 12/29/2018 10:51 AM, Asmus Freytag wrote:
> I ran an analysis using an early draft of the Root Zone LGR for Latin.
> Of the about 270 unique labels distributed across the sample domain 
> names in the first blog entry posted by Jim, I found that a good 20% 
> or so are excluded because the Root Zone does not support historic or 
> purely phonetic code points.
> After subtracting those, most of the phishing attempts (except 2) were 
> based on "random umlaut disease" or "rock-dots". That is, substituting 
> a random accented letter.

The Draft LGR had a bug; actual count of the exceptions is about 7. 
Other conclusions unaffected.

> Of these, the most dangerous ones are the ones with the least visible 
> diacritics (dot below, or dot above, in that order). These can be hard 
> to detect even to users familiar with accents. The dot below also 
> happens to clash with URL underlining.
> Other accents will fool North American users, but would probably be no 
> worse in their effects than standard misspellings for most other users 
> of the Latin script.
> The sample included two all-Cyrillic labels, something that wouldn't 
> be supported in the Root. It's not clear why so few: either the 
> sampled target domains don't lend themselves to this attack or some of 
> the possible counter measures (like flagging mixed script labels) are 
> already having a deterrent effect.
> A./
> PS: here's the list of code points from the sample data that will not 
> be supported in the Root Zone:
> {0138 0163 0185 01BF 01E5 01F5 0227 022F 0251 0261 027E 043A 1E03 1E05 
> 1E07 1E0B 1E1F 1E23 1E57 1E5B 1E8B 1E93}
> 0251 is the bowl a and 01BF is the WYNN (looks like a P) used in this 
> attack:
> www.xn--le-m1aa24e.com.               -->www.ɑƿƿle.com.
> On 12/28/2018 12:52 PM, Jim DeLaHunt wrote:
>> Hello, UA friends:
>> North America is in the midst of a holiday season right now, and I 
>> hope everyone on this list with holidays has been enjoying them — and 
>> that those without holidays right now get them soon. :-)
>> I'd like to pass on links to two blog posts from Farsight Security 
>> about Internationalised Domain Name-based homograph attacks. I don't 
>> see that these were shared with this list when they appeared. I don't 
>> agree with everything in these blogs, but I do like to practice my 
>> ability to argue in favour of IDN use and against IND-based 
>> fear-mongering. These blogs are useful practice material.
>> /Touched by an IDN: Farsight Security shines a light on the 
>> Internet's oft-ignored and undetected security problem
>> / Wednesday, January 17, 2018 By Mike Schiffman(Farsight Security)
>> <https://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/>
>> "Committed to making online interactions safer for all users, 
>> Farsight Security regularly investigates systemic threats to the 
>> Internet. The design and implementation of the DNS Internationalized 
>> Domain Name (IDN) 
>> <https://en.wikipedia.org/wiki/Internationalized_domain_name> system 
>> poses such a threat – one well known by DNS industry insiders and 
>> security professionals but not known or well understood by the wider 
>> public. The purpose of this research is to bridge that knowledge gap 
>> – to offer a keyhole glimpse into the shadowy world of brand 
>> lookalike abuse via IDN homographs.
>> "Registration of confusing Internet DNS names for the purpose of 
>> misleading consumers is not news. Every user of the Internet learns – 
>> often the hard way – that much of the email they receive is forged, 
>> and many of the World Wide Web links they are prompted to click on 
>> are malicious. Yet IDN, a DNS standard representing non-English 
>> domain names, allows forgeries to be nearly undetectable by either 
>> human eyes or human judgement, or by traditional Internet user 
>> interface tools such as email clients and web browsers.
>> "Using its real-time DNS network, Farsight Security conducted new 
>> research to determine the prevalence and reach of homographs 
>> <https://en.wikipedia.org/wiki/Homograph>, in the form of IDN 
>> lookalike domains, across the Internet. Specifically, Farsight 
>> examined 125 top brand domain names, including large content 
>> providers, social networking giants, financial websites, luxury 
>> brands, cryptocurrency exchanges and other popular websites. Our 
>> findings underscore that the potential security risk posed by IDN 
>> homographs is significant. Any ultimate defense against this variant 
>> of Internet forgery will rely on Internet governance and security 
>> automation. It is to inform the need for such solutions that we offer 
>> the findings below."
>> /Free Airline Tickets: The Latest Internationalized Domain Name-based 
>> Homograph Scam/
>> Monday, August 13, 2018 By Mike Schiffman (Farsight Security)
>> <https://www.farsightsecurity.com/2018/08/13/mschiffm-freeticketsscam/>
>> "As part of our continuous monitoring of the Internationalized Domain 
>> Name (IDN) space, Farsight recently found evidence of what appears to 
>> be an ongoing IDN homograph-based phishing campaign targeting mobile 
>> users. The suspected phishing websites purport to be those of 
>> commercial airline carriers offering free tickets, but, instead, 
>> appear to subject the user to a bait-and-switch scam."
>> I will also mention again Farsight Security's report on IDN Homograph 
>> attacks. This was discussed on this list (Subject: /Re: [UA-discuss] 
>> Once again/, Date: Wed, 27 Jun 2018 15:56:37 +0000 etc.)
>> /
>> Farsight Security Global Internationalized Domain Name Homograph 
>> Report, Q2/2018/
>> <https://info.farsightsecurity.com/farsight-idn-research-report>
>> "IDN ReportInternationalized Domain Names (IDNs) enable a 
>> multilingual Internet. Using IDN standards and protocols, 
>> Internet-users are able to register and use domain names in scripts 
>> other than Basic Latin. Yet IDNs are often abused by cybercriminals 
>> to conduct malicious activities, such as phishing or malware 
>> distribution.
>> In this new research report, "Farsight Security Global 
>> Internationalized Domain Name Homograph Report Q2/2018," Farsight 
>> Security examines the prevalence and distribution of IDN homographs 
>> across the Internet. We examined 100 Million IDN resolutions over a 
>> 12-month period with a focus on over 450 top global brands across 11 
>> sectors including finance, retail, and technology."
>> Best regards and happy new year,
>>      —Jim DeLaHunt, Vancouver, Canada
>> -- 
>>      --Jim DeLaHunt,jdlh at jdlh.com      http://blog.jdlh.com/  (http://jdlh.com/)
>>        multilingual websites consultant
>>        355-1027 Davie St, Vancouver BC V6E 4L2, Canada
>>           Canada mobile +1-604-376-8953

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ua-discuss/attachments/20181229/e0515e0a/attachment.html>

More information about the UA-discuss mailing list