Phishing is, by and large, the most often used attacker tactic to trick victims into sharing useful information such as login credentials. More often than not, that means directing them to spoofed login web pages posing as the real deal.
Before the advent of internationalized domain names (IDN), observant Internet users could easily spot domain impersonation attempts: the domains would look almost cartoonish, e.g. M1CROS0FT.COM, where the “one” posed as an “eye” and the “zero” as an “oh”.
“In recent years, though, the Internet technical community has made it possible to express domain names in the native character sets of most nations and cultures on Earth, and that has really boosted the capabilities available to malicious impersonators,” says Dr. Paul Vixie, CEO of Farsight Security.
IDN homograph attacks on the rise
Scammers and phishers have been actively exploiting IDNs to register domains that, to users, look very much like those of popular, widely used online resources.
“There’s an ‘eye’ in Cyrillic, another in Gaelic, and lots of others from many other national character sets. These ‘eyes’ don’t look different from the English ‘eye’ in MICROSOFT.COM,” Dr. Vixie explains. And this is just one example.
In a recently released report, the company examined the prevalence and distribution of IDN lookalike domain names and found, in a period of 12 months, 100 million total IDN resolutions, including 27 million unique Fully Qualified Domain Names (FQDNs).
Of these, 35,989 domains tried to imitate 466 top global brands across 11 vertical sectors ranging from banking to retail to technology.
While the Internet governance community has recommended that domain registrars not allow users to register lookalikes or, indeed, any domain name using a mix of characters from different alphabets, there is no way to enforce that recommendation. Unfortunately, some registrars choose not to enforce this rule and, as Dr. Vixie notes, this round of the fight goes to the bad guys.
Widely used browsers have built-in homograph protections but they can fail due to vulnerabilities. There are also browser extensions that can help spot homograph domains.
Unfortunately, attackers can send homographic URLs via email and social networks and they will look legitimate until the link is clicked on.
Companies that want to protect their brand online have a number of options.
“Internet security vendors offer a lot of services in this area, like scanning the web looking for your logo or trademarks, looking at spam traps for look-alike domain names, and even downloading top level domain (TLD) directories to find new domain names which might be confusingly similar to a protection-worthy trademark,” Dr. Vixie notes.
“Our recent IDN report intended to make it clear that with internationalized domain names now widely practiced, there is a whole new kind of ‘confusing similarity’ that defenders must not be blind to, because attackers are certainly using them.”
The company recommends immediate takedown efforts when a confusingly similar name is detected, as sending a cease and decease letter and waiting 72 hours is often too slow to prevent harm to consumers and trademark holders. They also feel it’s important to see all domain names, including those created by IT departments, and not just “delegation point” domain names such as those sold by internet registrar companies.
DNS can be also used as an early warning system to predict new targeted attacks.
“For attacks targeting an enterprise’s networks and servers, including both in-house and in the cloud, an operator can gain some confidence and recourse just by doing analytics on the domain names their users and applications are trying to look up – because quite a few of these names will be malicious, or will be closely related to names which have proved malicious in hours or days or weeks past,” he says.
“It’s important to back these analytics up with policy, such as the free DNS firewalls with RPZ technology that our team built and gave away to the community back in 2010 before we decided to launch Farsight. By preventing your users and applications from resolving malicious names or suspected-malicious names, a lot of attacks can’t even get their foot in your door.”
“Of course, it’s also important to do some analytics about domain names that everybody else is looking up, in case an attacker is damaging your brand or your trademark by impersonation, and the direct victims are not on your network. In those situations, no firewall or policy or intrusion detection or network analytics will see the harm, and it’s necessary to find a way to look at the global domain name system lookup flow rather than at your own DNS lookup flows,” he concluded.