A number of domain “forgeries” or tricky, translated look-alikes have been observed recently. These attack campaigns cleverly abuse International Domain Names (IDN) which, once translated into ASCII in a standard browser, result in the appearance of a corporate or organization name that allows the targeting of such organization’s domains for impersonation or hijacking. This attack has been researched and defined in past campaigns as an IDN homograph attack.
The interesting part of this attack is that it allows bad actors to hijack the targeted organization’s domain without actually hijacking it. As seen in past campaigns, in order to hijack a domain, malicious users must compromise the targeted entity’s domain guardian, which is usually a name registrar, an administrator or web marketing department within the organization. Malicious users would proceed with different attack vectors in order to obtain credentials that allow the transfering or redirection of such domains. One of the popular attack vectors against an organization’s internet domain was DNS hijacking, which allows malicious actors to find technical ways of tampering or subverting a company’s DNS in order to redirect it to another hosted site, subsequently targeting redirected victims with different attack vectors (Drive By downloads, Phishing, Impersonation, etc).
Malicious actors have cleverly devised a way to use International Domain Names that, when translated into ASCII on standard browsers, look exactly like the targeted organization. Next, malicious actors proceed to register a targeted organization’s domain and get SSL/TLS certificates. Once these are translated into browsers, it is very difficult, and almost impossible, to notice the difference. Previous work from researcher Xudong Zeng of Symantec and recent research by IronGeek and Brian Krebs give a good example of how the use of IDNs can be effective when trying to impersonate a targeted entity.
Figure below show a simple translation tool.
The above example shows a domain name of a known cryptocurrency exchange which was recently targeted, according to TheNextWeb. Malicious actors used an IDN, cloned the site, purchased SSL/TLS certificates and proceeded to present a clone site to trick victims.
Figure Shows cloned site punycode/IDN site.
Figure Shows translated ID with secure icon on browser.
As seen on both images above, this type of attack is very difficult to detect, even for a detailed observer.
How can we defend against these types of attacks?
Although these type of attacks are very difficult to detect by standard users, they don’t represent direct compromises of actual internet domains. Still, there are measures that can be taken in order to protect against them.
Fig Shows Punycode alert chrome add-on.
To read a more technical and in-depth summary, access Rod’s Threat Advisory on this topic here.
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times. www.jask.ai.