ESET researchers are warning users to beware of homograph attacks or spoofing attacks which mimic legitimate domains using Unicode characters from non-Latin writing systems.
“It is possible to register a domain name such as “xn--pple-43d.com,” which is interpreted by the browser as “apple.com,” but is actually written using the Cyrillic character “а” (U+0430) instead of the ASCII “a” (U+0041),” ESET researchers said in a July 27 blog. “While both characters look the same to the naked eye, for the purpose of browsers and security certificates these are two different characters, and so represent different domains.”
Independent researcher Xudong Zheng demonstrated an example of the attack by registering the domain given in the provided example. If a user visits the domain through a Firefox browser then the link will appear as “https://www.аррӏе.com/” in the URL box.
Browsers such as Chrome and Internet Explorer may prevent these type of attacks by using technology that shows the foreign text in the corresponding Punycode rather than in Unicode form, but researchers warn it is still easy to circumvent these features. Users can manually disable the translation for Punycodes in Firefox by changing “thenetwork.IDN_show_punycode” attribute to false in the settings menu.
Researchers also noted that most fraudulent sites use HTTP instead of HTTPS and that by obtaining an HTTPS credential, it enables phony site’s to better mimic legitimate URLs. An attacker needs to be able to register a domain that looks as similar as possible to the real website they are imitating.
A TLS certificate can even be obtained through Amazon which would make the domain look even more convincing and may only be spotted if a user were to dig deeper into the domain’s owner. For this reason researchers warn that HTTPS and certificates aren’t a security consideration on the part of an attacker if they are stealing credentials.
The attack is still a proof of concept and has not been seen in the wild, but potentially poses a significant threat.
“For the owner of a website or online service, the best way to avoid being spoofed is to use SSL certificates that also validate the Organization Identity,” ESET security researcher Cecilia Pastorino told SC Media.”These certificates may be a little bit more expensive, but ensure that the site or online service that it’s not only hosted in the right server, but also belongs to the legitimate company. These types of certificates are “Organization Validated Certificate” or, even better, “Extended Validation Certificate.”
To help combat these threats, researchers recommend users look carefully at security certificates, avoid accessing websites through links sent in emails, and use two factor authentication.