Malicious-Punycode-Look-Alike-Domain

Total Page:16

File Type:pdf, Size:1020Kb

Malicious-Punycode-Look-Alike-Domain Severity: MEDIUM MALICIOUS PUNYCODE LOOKALIKE DOMAINS Y EAM ​ B T CTM360 Reference:CTM-ADV-0318-01 Date:18rd March 2018 Category:Phishing ​ ● Evil Twin Websites ● Malicious Domains ● Malware ● Email Fraud POSSIBLE IMPACTS: TARGET AUDIENCE FOR CIRCULATION: THREAT TARGETS: ● All Sectors ● Compromise of account credentials and ● Administrators of internet-facing confidential data ● infrastructure and services ● Compromise of user data ● IT security team, Management & Staff ● Financial, Reputational and Data Loss Threat Description Punycode is a special encoding scheme for internationalized domain names, which makes it possible to register domains with foreign characters. It works by converting strings of Unicode (UTF-8) to American Standard Code for Information Interchange (ASCII) format. For example, the domain "xn--domain.com" is equivalent to ". com" Punycode phishing Using punycode, it is possible to register a domain like ‘xn--80ak6aa92e.com’, which clearly looks like ‘apple.com’ in the browser. This means that a user can be lead to a fake phishing website that simply appears to be “apple.com” because its registered in Unicode form. Such domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. These domains then can be used for phishing attacks as the domain names can trick the users. Many browsers have mechanisms to detect the Unicode domains and display them as text in the browser. Usually the Unicode form will be hidden if a domain label contains characters from multiple different languages. The "аpple.com" domain as described above will appear in its Punycode form as "xn-- 80ak6aa92e.com" in most of the browsers, to minimize confusion with the real "apple.com". Copyright ©2018 CTM360® www.ctm360.com 1 Severity: MEDIUM In browsers that fail to detect the Unicode domains, ‘xn--80ak6aa92e.com’ and ‘apple.com’ are indistinguishable. Such cases make it impossible to identify whether the site is fraudulent or not without inspecting the site's URL or SSL certificate. Recommended Best Practices ● Use of a password manager, helps reduce the risk of pasting passwords into any incorrectly-named site. Password managers automatically detect the domain being used and offer to automatically fill in the login information. The browser might be fooled by the domain, but the password manager will not be. If it doesn’t offer to fill in the login information, there’s a good chance that it’s a fake website. ● For Firefox users, force the browser to always display punycode names. ● Click on the padlock in the browser to display the HTTPS certificate. This shows the domain name to which the certificate was issued using the DNS-friendly, ASCII-only format. If the name starts ‘xn--’ then it is a punycode domain, regardless of what it may look like in the address bar. ● In general, users must be very careful and pay attention to the URL when entering personal information. Users should manually type the URL or navigate to sites via a search engine when in doubt. It is highly recommended that users manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link from a website or email. This will ensure the user visits the legitimate website. ● There are some third-party Chrome extensions/add-ons available on the App Store that notify/alerts users every time a website with Unicode characters in the domain is detected. Disclaimer The information contained in this document is meant to provide general guidance and brief information to the intended recipient pertaining to the incident and recommended action. Therefore, this information is provided "as is" without warranties of any kind, express or implied, including accuracy, timeliness, and completeness. Consequently, under NO condition shall CTM360®, its related partners, directors, principals, agents or employees be liable for any direct, indirect, accidental, special, exemplary, punitive, consequential or other damages or claims whatsoever including, but not limited to: loss of data, loss in profits/business, network disruption etc., arising out of or in connection with this advisory. … For more information: Email: [email protected] Tel: (+973) 77 360 360 ​ ​ Copyright ©2018 CTM360® www.ctm360.com 2 .
Recommended publications
  • Idns: Internationalized Domain Names Did You Know?
    I N T E R N E T C O R P O R AT I O N F O R A SS I G N E D N A M E S A N D N U M B E R S IDNs: Internationalized Domain Names Did you know? · Internationalized Domain Names (IDNs) are domain names with characters other than a, b…, z; 0, 1,…, 9; and “-“. · IDNs on the second and third levels exist in some generic top-level domains (gTLDs) and in some country code top-level domains (ccTLDs). TLD registries determine the choice of characters available under these TLDs. · Some languages, like Arabic, are written from right to left. IDNs at the second level are not very useful for the communities that use these languages because users would need to change both the type direction and script in the middle of entering a domain name. · IDN TLDs will be made available through two separate processes, initially through the New gTLD Program and the IDN ccTLD Fast Track Process. · 60 percent of Internet users are non-English speakers, while the dominant language used on the Internet is English (see Global Reach at www.glreach.com). One of the most significant innovations in the Internet since its incep- tion is the introduction of Internationalized Domain Names (IDNs) in the Internet’s address space. You may be familiar with some of the larger top- level domains: dot-com, dot-cn, and dot-org are just three examples. IDN top-level domain names will offer many new opportunities and benefits for Internet users around the world by allowing them to establish and use domains in their native languages and scripts.
    [Show full text]
  • Homograph Attack Warning System
    International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-10 Issue-2, December 2020 Homograph Attack Warning System Muhammad Uwais, Arpit Sharma, Akhil Kumar, Lakshya Singh Abstract— As we are living in the era of social media apps, assault which may even go through the program insurance. from Facebook to WhatsApp which are using everywhere. All The venture will be a portable application for any individual these apps are being used by everyone. Although this may seem to who is utilizing any internet based life applications like be a very good sign that we are moving to the new era of “THE WhatsApp, Facebook and so forth., This will assist the DIGITAL WORLD” but it may have some consequences like client with using the sheltered connections on their versatile spreading of artificial news, crack of personal information like credit card, debit card, passwords or digital wallets etc. The users which is imparted to them. The framework will an believe that every message shared on social media might be true. admonition every time the client visits a horrendous So, to protect our internet users we have come up with an idea connection. It is a simple thing when the user visits a vicious that provides the ability to discover homonym attack and link which is known. If the user already known's that the malicious links which warns the user before they can access the particular link is a vicious link the user will not visit the site. The Social engineering attacks have stirred terribly removed link.
    [Show full text]
  • Fun with Unicode - an Overview About Unicode Dangers
    Fun with Unicode - an overview about Unicode dangers by Thomas Skora Overview ● Short Introduction to Unicode/UTF-8 ● Fooling charset detection ● Ambigiuous Encoding ● Ambigiuous Characters ● Normalization overflows your buffer ● Casing breaks your XSS filter ● Unicode in domain names – how to short payloads ● Text Direction Unicode/UTF-8 ● Unicode = Character set ● Encodings: – UTF-8: Common standard in web, … – UTF-16: Often used as internal representation – UTF-7: if the 8th bit is not safe – UTF-32: yes, it exists... UTF-8 ● Often used in Internet communication, e.g. the web. ● Efficient: minimum length 1 byte ● Variable length, up to 7 bytes (theoretical). ● Downwards-compatible: First 127 chars use ASCII encoding ● 1 Byte: 0xxxxxxx ● 2 Bytes: 110xxxxx 10xxxxxx ● 3 Bytes: 1110xxxx 10xxxxxx 10xxxxxx ● ...got it? ;-) UTF-16 ● Often used for internal representation: Java, .NET, Windows, … ● Inefficient: minimum length per char is 2 bytes. ● Byte Order? Byte Order Mark! → U+FEFF – BOM at HTML beginning overrides character set definition in IE. ● Y\x00o\x00u\x00 \x00k\x00n\x00o\x00w\x00 \x00t\x00h\x00i\x00s\x00?\x00 UTF-7 ● Unicode chars in not 8 bit-safe environments. Used in SMTP, NNTP, … ● Personal opinion: browser support was an inside job of the security industry. ● Why? Because: <script>alert(1)</script> == +Adw-script+AD4-alert(1)+ADw-/script+AD4- ● Fortunately (for the defender) support is dropped by browser vendors. Byte Order Mark ● U+FEFF ● Appears as:  ● W3C says: BOM has priority over declaration – IE 10+11 just dropped this insecure behavior, we should expect that it comes back. – http://www.w3.org/International/tests/html-css/character- encoding/results-basics#precedence – http://www.w3.org/International/questions/qa-byte-order -mark.en#bomhow ● If you control the first character of a HTML document, then you also control its character set.
    [Show full text]
  • Standard Unicode 4.0. Wybrane Pojęcia I Terminy
    Janusz S. Bień Standard Unicode 4.0. Wybrane pojęcia i terminy 24 listopada 2005 r. Streszczenie Ukazanie się w sierpniu 2003 r. czwartej wersji standardu UNICODE (1504 strony plus CD-ROM), dostępnego także pod adresem http://www.unicode. org, stanowi okazję do zaprezentowania wybranych aspektów tego standardu. Unicode jest ukazany na tle wcześniej stosowanych metod kodowania tekstów. Artykuł zawiera również w sposób mniej lub bardziej jawny propozycje tłuma- czenie używanych w standardzie angielskich terminów na język polski. 1. Wprowadzenie Na wstępie warto przypomnieć różnicę między standardem a normą. Stan- dardy — dawniej pisane i czytane standarty1, ang. standards — to specyfikacje sformułowane przez pewne organizacje lub instytucje. Normy — ang. legal standards — to specyfikacje sformułowane przez krajowe lub międzynarodowe organizacje normalizacyjne, czyli przez instytucje upoważnione do tego przez państwo odpowiednimi ustawami; niektóre aspekty normalizacji krajowej i eu- ropejskiej omówiłem w artykule [2]. W skali światowej działalność normaliza- cyjna jest podstawowym źródłem utrzymania znaczącej liczby osób, stąd często można spotkać normy, których jedyną racją bytu jest dostarczanie zajęcia nor- malizatorom; standardy znacznie częściej zaspokajają rzeczywiste potrzeby ich użytkowników. W artykule [1] przedstawiłem krajowe, europejskie i międzynarodowe normy określające kodowanie tekstów polskich w systemach komputerowych. Tutaj podam tylko kilka przykładów kodowania polskich liter zgodnie z najnowszymi polskimi normami. Według
    [Show full text]
  • Names for Encodings – Mechanisms for Labeling Text with Encoding
    Web Internationalization Standards and Practice Tex Texin, XenCraft Copyright © 2002-2016 Tex Texin Internationalization and Unicode Conference IUC40 Abstract This is an introduction to internationalization on the World Wide Web. The audience will learn about the standards that provide for global interoperability and come away with an understanding of how to work with multilingual data on the Web. Character representation and the Unicode-based Reference Processing Model are described in detail. HTML, including HTML5, XHTML, XML (eXtensible Markup Language; for general markup), and CSS (Cascading Style Sheets; for styling information) are given particular emphasis. Web Internationalization Slide 2 Objectives • Describe the standards that define the architecture & principles for I18N on the web • Scope limited to markup languages • Provide practical advice for working with international data on the web, including the design and implementation of multilingual web sites and localization considerations • Be introductory level – Condense 3 hours to 75-90 minutes. This presentation and example code are available at: www.xencraft.com/training/webstandards.html Web Internationalization – Standards and Practice Slide 3 Legend For This Presentation Icons used to indicate current product support: Google Internet Firefox Chrome Explorer Supported: Partially supported: Not supported: Caution Highlights a note for users or developers to be careful. Web Internationalization Slide 4 How does the multilingual Web work? • How does the server know – my language?
    [Show full text]
  • Network Working Group A. Costello Request for Comments: 3492 Univ
    Network Working Group A. Costello Request for Comments: 3492 Univ. of California, Berkeley Category: Standards Track March 2003 Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Punycode is a simple and efficient transfer encoding syntax designed for use with Internationalized Domain Names in Applications (IDNA). It uniquely and reversibly transforms a Unicode string into an ASCII string. ASCII characters in the Unicode string are represented literally, and non-ASCII characters are represented by ASCII characters that are allowed in host name labels (letters, digits, and hyphens). This document defines a general algorithm called Bootstring that allows a string of basic code points to uniquely represent any string of code points drawn from a larger set. Punycode is an instance of Bootstring that uses particular parameter values specified by this document, appropriate for IDNA. Table of Contents 1. Introduction...............................................2 1.1 Features..............................................2 1.2 Interaction of protocol parts.........................3 2. Terminology................................................3 3. Bootstring description.....................................4 3.1 Basic code point segregation..........................4 3.2 Insertion unsort coding...............................4 3.3 Generalized variable-length integers..................5 3.4 Bias adaptation.......................................7 4. Bootstring parameters......................................8 5. Parameter values for Punycode..............................8 6.
    [Show full text]
  • Introduction to Universal Acceptance (UA)
    Introduction to Universal Acceptance (UA) Universal Acceptance Steering Group (UASG) 23 September 2019 Universal Acceptance – Report UASG007 TABLE OF CONTENTS About This Document 4 Target Audience 4 Background Concepts 5 Domain Names 5 Country Code Top-level Domains (ccTLDs) 5 Generic Top-level Domains (gTLDs) 5 Domain Name Internationalization 6 The Need for Universal Acceptance (UA) 6 U-labels and A-labels 6 Email Address Internationalization (EAI) 7 Dynamic Link Generation (Linkification) 8 The Dynamic Nature of the Root Zone Registry 8 Universal Acceptance in Action 9 Five Criteria of Universal Acceptance 9 User Scenarios 11 Nonconformance to Universal Practices 12 Technical Requirements for UA Readiness 13 High-Level Requirements 13 Developer Considerations 14 Designing Software for Compatibility and Flexibility 14 Good Practices for Developing and Updating Software to Achieve UA-Readiness 14 Authoritative Sources for Domain Names: DNS Root Zone and IANA Lists 21 Email with IDNs and Why It Is Not the Same as EAI 21 Linkification and Its Challenges 22 Good Practice Recommendations 22 Unicode - Background and Code Point Attributes 23 UTF8, UTF16, and Other Encoding Methods 23 IDNA - A Brief History and Current State 24 Use Cases for Testing 24 Upgrading Software for EAI 25 Advanced Topics 25 Complex Scripts 25 Right-to-Left Languages and Unicode Conformance 25 The Bidi Algorithm 25 The Bidi Rule for Domain Names 27 Joiners 27 Homoglyphs and Similar Characters 28 Introduction to Universal Acceptance - Report UASG007 // 2 Normalization, Case Folding, and String Preparation 28 Case Folding and Mapping 30 Glossary and Other Resources 31 Glossary 31 RFCs and Key Standards 34 Key Standards 37 Online Resources 38 Introduction to Universal Acceptance - Report UASG007 // 3 About This Document The Internet’s technologies, including its naming components, continually evolve and change.
    [Show full text]
  • UTR#17: Unicode Character Encoding Model
    UTR#17: Unicode Character Encoding Model http://www.unicode.org/reports/tr17/tr17-6.html Technical Reports Proposed Update Unicode Technical Report #17 UNICODE CHARACTER ENCODING MODEL Authors Ken Whistler ([email protected]), Mark Davis ([email protected]), Asmus Freytag ([email protected]) Date 2008-08-25 This Version http://www.unicode.org/reports/tr17/tr17-6.html Previous Version http://www.unicode.org/reports/tr17/tr17-5.html Latest Version http://www.unicode.org/reports/tr17/ Revision 6 Summary This document clarifies a number of the terms used to describe character encodings, and where the different forms of Unicode fit in. It elaborates the Internet Architecture Board (IAB) three-layer “text stream” definitions into a four-layer structure. Status This document is a proposed update of a previously approved Unicode Technical Report. This document may be updated, replaced, or superseded by other documents at any time. Publication does not imply endorsement by the Unicode Consortium. This is not a stable document; it is inappropriate to cite this document as other than a work in progress. A Unicode Technical Report (UTR) contains informative material. Conformance to the Unicode Standard does not imply conformance to any UTR. Other specifications, however, are free to make normative references to a UTR. Please submit corrigenda and other comments with the online reporting form [Feedback]. Related information that is useful in understanding this document is found in the References. For the latest version of the Unicode Standard see [Unicode]. For a list of current Unicode Technical Reports see [Reports]. For more information about versions of the Unicode Standard, see [Versions].
    [Show full text]
  • Internationalization and Internet Engineering
    Internationalization and Internet Engineering IETF68 Technical Plenary Prague March 22, 2007 Agenda • A bit of stage setting (Leslie Daigle) • Protocol engineering & Languages -- the many pieces of the puzzle (Ted Hardie) • The IETF experience (John Klensin) • Open discussion with panel – Ted Hardie – John Klensin – 李曉東 (Xiaodong Lee) – Patrik Fältström, – Pete Resnick Scope & Purpose • Shine a light on the significant issues in internationalization and protocol design/Internet Engineering • Provide broader picture than covered by the IAB IDN Next Steps document – RFC 4690 – Reviewed at IETF66 plenary Does your consciousness need raising? • “No, I don’t do Applications” • I do bytes on the wire • Oh, I thought this was ROUTING and addressing • How big an issue could it be? ... 加了分音符号的拉丁文小写字母A ä Arial 250pt 编码 ASCII 不存在 ISO-646-SE 0x7B 1字节,16进制 Unicode U+00E4 码点 UTF-8 0xC3A4 2字节,16进制 UTF-16 0x00E4 2字节,16进制 UTF-32 0x000000E4 4字节,16进制 XHTML &auml; 文本表示 XHTML &#228; 文本表示 编码的混淆 同样的线上比特流,不同的编码解释 ISO-646-SE 0x7B ä ISO-8859-1 0x7B { 同样的线上比特流,不同的编码解释 UTF-8 0xC3A4 ä ISO-8859-1 0xC3 0xA4 ä 一个punycode,不同的编码字符 Punycode Ascii: xn--4ca xn--4ca Unicode 0x00E4 ä Unicode U+0061 U+0308 ä (a + ¨) Unicode U+04D3 ӓ 字形的混淆 U+007B U+04DE Arial ä ӓ Times ä ӓ Zapf Dingbats ➤ ӓ Got it? ;-) • Credit to Patrik for the slides, and Xiaodong for the translations • English versions included in the online version of this deck • Ted & John will give the whole picture – including more detail on the last few slides LATIN SMALL LETTER A WITH DIAERESIS ä Arial 250pt Encoding
    [Show full text]
  • Introduction to Internationalized Domain Names (IDN)
    Introduction to Internationalized Domain Names (IDN) IP Symposium for CEE, CIS and Baltic States Moscow, Russia 16-19 September 2003 Robert Shaw <[email protected]> ITU Internet Strategy and Policy Advisor International Telecommunication Union Agenda • Background on ITU involvement • Definition of DNS and IDN • IDN History • IETF Technical Solution • Administration and Policy Directions • National Experiences • Tools & ITU Resources • Some Reflections • Future ITU Activities International Telecommunication Union Background on ITU Involvement • ITU Member States adopted two resolutions in 2002 related to Internet names and addresses guiding ITU’s activities in this area: – Resolution 102: “Management of Internet Domain Names and Addresses” – Resolution 133: “Role of administrations of Member States in the management of internationalized domain names” • “to promote effectively the role of Member States in the internationalization of domain names and address of their respective languages” – Resolutions give instructions to Secretary-General, TSB Director, the BDT Director and the ITU Council, as well as inviting Member States to contribute to certain activities – See www.itu.int/osg/spu/mina/ International Telecommunication Union What we hope to accomplish from our related activities… • Bring together experts so that they can share experiences for the benefit of others • Document and build knowledge base of materials available to ITU Member States • Give snapshot of some of the ongoing national activities and their implementation experiences
    [Show full text]
  • Internationalized Domain Names (Idns) : a Key to Inclusive and Multilingual Internet
    Internationalized Domain Names (IDNs) : A Key to Inclusive and Multilingual Internet Background: Until recently, the Root was limited to a set of characters conforming to US-ASCII (American Standard Code for Information Interchange) or "Latin" alphabets. This changed with the introduction of Internationalized Domain Names (IDNs), which introduced top-level domains (TLDs) in different scripts and enabled Internet users to access domain names in their own language. The approval of the IDN country code Top-Level Domain (ccTLD) Fast Track Process by the ICANN Board at its annual meeting in Seoul, South Korea in October 2009, enabled countries and territories to submit requests to ICANN for IDN ccTLDs representing their respective country or territory names in scripts other than US-ASCII characters. Internationalized Domain Names (IDNs) were first launched in 2004 called IDNA, and now based on IETF standard RFC5890 published in 2010.It uses Punycode encoding algorithm to represent non-ASCII characters found in Arabic, Chinese, Cyrillic, Hindi and other languages, into ASCII character domain names that the DNS system can resolve. This allows Internet users to type a domain name in their local script using their native language, instead of an English version [2]. For many years, the simple task of typing a web address into the browser isn't possible for people who don’t know English but introduction and implementation of IDN’s have reinforced the fact that Internet is not only English driven other languages can play important role to connect the next billion non-native English speaking population as 83% of the world's population is estimated to be non- English speaking, yet for years they have been unable to communicate in their own languages via Web and e-mail addresses [1].
    [Show full text]
  • An Introduction to Unicode Henri Sivonen What’S Unicode?
    An Introduction to Unicode Henri Sivonen What’s Unicode? • 21-bit coded character set • Includes property data, rules and algorithms • Aims to cover all human writing systems currently in use • Also covers some obsolete systems for scholarly use ISO-10646 • A standard list of characters that is the same as the Unicode list of characters • Looks more official as a reference • The Unicode Standard is more than the list • Just refer to Unicode • Specs that are available on the Web win Why Unicode? • Multiple encodings are trouble • Legacy repertoires often too narrow • Mutually exclusive repertoires are bad • Why should the user have to pick either German or Russian support? • Display layer late binding prevents smart processing based on character semantics Resistance is Futile • Immense momentum towards Unicode • XML, HTML 4… • Java, C#, Python, Perl 5.8, JavaScript… • Mac OS X, Windows 2000, Gnome 2… • Apple, Microsoft, IBM, Sun, Gnome Foundation, W3C, IETF all pulling to the same direction! You Will be Assimilated • Better to conform now than to fight and conform later • Your boss wants XML; XML wants Unicode • Need €? ISO-8859-15 is just fire fighting! Free Your Mind • People have a lot of prior assumptions that are not true of Unicode • Some of them were true with more primitive text encodings and fonts • It helps not to assume these things • For example, there’s no single “Unicode encoding” for interchange Misconceptions • Unicode character = 16 bits • Character = glyph • Code point = glyph index • Selection unit = glyph • Key press = character • Caret moves character by character More Misconceptions • I am European / American / Japanese.
    [Show full text]