Security consultant Paul Moore has managed to register a domain that, at first glance, looks like that of UK-based Lloyds Bank, and get a valid TLS certificate for it from CloudFlare.
He did so by substituting the initial two lowercase “L” letters of the legitimate site’s URL with two uppercase “i” letters. This type of attack is called internationalized domain name (IDN) homograph attack, and takes advantage of the fact that many different characters look alike.
While performing this experiment he made sure to make it clear that the site is actually not the legitimate one (click on the screenshot to enlarge it):
He also transferred the ownership of the domain to Lloyds Bank soon after he had proven his point that it’s extremely easy for real attackers to execute this type of attack.
CloudFlare has revoked the certificate a day later, but if this were a real phishing attack, the fact that they issued a cert for such a domain in the first place is problematic.
As you can see from the above screenshot, some browsers will tip off users to the scheme by lowercasing the URL and revealing the true nature of the domain, while others will not:
— Paul Moore (@Paul_Reviews) June 28, 2015
In any case, it’s likely that most users wouldn’t notice this if they followed a direct link from a phishing email.
The lessons to learn from this experiment are many:
- Financial institutions should register domains that can be mistaken for theirs and use them to redirect users to the correct one
- CloudFlare and other organizations issuing certificates should put a system in place for detecting and doubly checking certificate requests for “iffy” domains
- Users should avoid visiting their financial insititution’s website by following links in unsolicited emails.