Severity: MEDIUM

MALICIOUS PUNYCODE LOOKALIKE DOMAINS Y EAM ​ B T CTM360

Reference:CTM-ADV-0318-01 Date:18rd March 2018 Category:Phishing ​ ● Evil Twin Websites ● Malicious Domains ● Malware ● Email Fraud

POSSIBLE IMPACTS: TARGET AUDIENCE FOR CIRCULATION: THREAT TARGETS: ● All Sectors ● Compromise of account credentials and ● Administrators of internet-facing confidential data ● infrastructure and services ● Compromise of user data ● IT security team, Management & Staff ● Financial, Reputational and Data Loss

Threat Description

Punycode is a special encoding scheme for internationalized domain names, which makes it possible to register domains with foreign characters. It works by converting strings of (UTF-8) to American Standard Code for Information Interchange (ASCII) format. For example, the domain "xn--domain.com" is equivalent to ". com"

Punycode phishing

Using punycode, it is possible to register a domain like ‘xn--80ak6aa92e.com’, which clearly looks like ‘apple.com’ in the browser. This means that a user can be lead to a fake phishing website that simply appears to be “apple.com” because its registered in Unicode form. Such domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. These domains then can be used for phishing attacks as the domain names can trick the users.

Many browsers have mechanisms to detect the Unicode domains and display them as text in the browser. Usually the Unicode form will be hidden if a domain label contains characters from multiple different languages. The "аpple.com" domain as described above will appear in its Punycode form as "xn-- 80ak6aa92e.com" in most of the browsers, to minimize confusion with the real "apple.com".

Copyright ©2018 CTM360® www.ctm360.com 1

Severity: MEDIUM

In browsers that fail to detect the Unicode domains, ‘xn--80ak6aa92e.com’ and ‘apple.com’ are indistinguishable. Such cases make it impossible to identify whether the site is fraudulent or not without inspecting the site's URL or SSL certificate.

Recommended Best Practices

● Use of a password manager, helps reduce the risk of pasting passwords into any incorrectly-named site. Password managers automatically detect the domain being used and offer to automatically fill in the login information. The browser might be fooled by the domain, but the password manager will not be. If it doesn’t offer to fill in the login information, there’s a good chance that it’s a fake website.

● For Firefox users, force the browser to always display punycode names.

● Click on the padlock in the browser to display the HTTPS certificate. This shows the to which the certificate was issued using the DNS-friendly, ASCII-only format. If the name starts ‘xn--’ then it is a punycode domain, regardless of what it may look like in the address bar.

● In general, users must be very careful and pay attention to the URL when entering personal information. Users should manually type the URL or navigate to sites via a search engine when in doubt. It is highly recommended that users manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link from a website or email. This will ensure the user visits the legitimate website.

● There are some third-party Chrome extensions/add-ons available on the App Store that notify/alerts users every time a website with Unicode characters in the domain is detected.

Disclaimer The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption etc., arising out of or in connection with this advisory. …

For more information: Email: [email protected] Tel: (+973) 77 360 360 ​ ​

Copyright ©2018 CTM360® www.ctm360.com 2