How criminals abuse IDNs to conduct malicious activities

Get a copy of the upcoming book "Secure Operations Technology"

New research from Farsight Security examines the prevalence and distribution of IDN lookalike domain names, also called homographs, over a 12-month period with a focus on 466 top global brands across 11 vertical sectors ranging from banking to retail to technology.

abuse idn

Sample unicode confusables

The research discovered the potential risk posed by IDN homographs is significant and growing. In fact, Farsight observed 100 million total IDN resolutions, including 27 million unique Fully Qualified Domain Names (FQDNs).

Just as the DNS enables the vast majority of online transactions, IDNs enable a multilingual Internet by allowing Internet users to register and use domain names in almost any written language. Yet because IDN homographs are easy to register and often go undetected by traditional security solutions, these lookalike domains are increasingly being used to commit phishing and other malicious activities.

As part of the research, Farsight evaluated a cross-section of sectors including: banking, credit and loans, insurance, financial management, ecommerce, clothing retailers, jewelry retailers, luxury retailers, cryptocurrency exchanges, and technology firms.

abuse idn

IDN homograph intra-label mixed script breakdown

Key findings of the report include:

  • Brands in banking and other related sectors are frequently imitated using IDN homographs with ~750 unique resolutions per month
  • 91% of IDN homographs offered some sort of webpage
  • The research found clear violations of the ICANN Guidelines for the Implementation of Internationalized Domain Names
  • 66% of all IDN homograph IP addresses were found to be geolocated in the United States
  • 93% of IDN homograph FQDNs had IPv4-based address records.

“Farsight regularly conducts research to reveal possible unknown security risks. IDN homographs are largely undetected – as a result, bad guys can abuse these key DNS assets,” said Dr. Paul Vixie, CEO, Chairman and Cofounder of Farsight Security. “Our research proves that it is critical that organizations identify and manage potential risks to their brands, including IDN homographs.”