What's old is new again as infosec bods are sounding the alarm over a fresh wave of homoglyph characters being used to lure victims to malicious fake websites.
Researchers at Soluble today said they worked with Verisign to thwart the registration of domain names that use homoglyphs – non-Latin characters that look just like letters of the Latin alphabet – to masquerade as legit domains.
First reported back in the 2000s, this technique allow miscreants to use characters that, when displayed in the browser bar, appear to show the URL of a valid site – such as Apple.com or Google.com – despite being a completely different domain name. These bogus sites are designed to look real while phishing credentials or distributing malware. You think you're logging into Google.com from an email or instant-chat link, but really you're handing over your password to a crook.
There have been a number of efforts over the years, most recently in 2017, we reckon, to rid the internet of homograph abuse once and for all.
In the most recent case, it was found that the Unicode Latin IPA Extension characters could and were being exploited to setup lookalike domains.
"Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates," noted Soluble researcher Matt Hamilton. "This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity."
There is no legitimate or non-fraudulent justification for this activity
Normally, it would not be possible to register domains with mixed scripts, as Verisign put protections in place years ago. However, the researchers found that those protections did not extend to Unicode Latin IPA, meaning that prior to Verisign updating its filters after being tipped off by Soluble, the characters could be used to set up lookalike URLs.
"Safeguarding the stability, security and resiliency of the critical infrastructure we operate is our top priority," Verisign said in a statement. "While the underlying issue described by Mr Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited.
"Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr Hamilton’s report."
Fortunately, the domains are hard enough to register and set up that miscreants don't want to burn them on anything other than the highest-value of targets.
"While it is unlikely that you, the reader, were attacked with this technique," Hamilton notes, "it is likely that this technique was used in highly targeted social-engineering campaigns." ®
Sponsored: Webcast: Ransomware has gone nuclear