Hacking

A Quick Guide to the IDN Homograph Attack

July 30, 2018 by Ronnie T. Baby

Introduction

The IDN (Internalized Domain Name) homograph attack, also known by the names “homoglyph” and “script spoofing,” is a method in which an attacker deceives victims by making them believe that the site they are visiting is a genuine one.

Attackers exploit this by putting up domains whose names contain more-or-less similar characters resembling the real characters: for example, using a zero instead of an O. Due to lookalike characters, a victim tends to believe they’re visiting the real site and end up giving these fake sites their credit card details, login credentials, and so on.

In a nutshell, attackers are able to register lookalike domain names by exploiting the similar appearance of certain characters in English, Chinese, Latin and Greek or other scripts.

Leveraging Homograph Attacks

A character is differently viewed by a browser and user. This is due to the fact that computers support multilingual logical characters; hence, it is very easy to make a user get confused.

One example of such attacks is where Cyrillic characters are used. Cyrillic, whose characters resemble certain other letters in the Latin alphabet (for example, the Cyrillic letter which makes the V sound looks just like a Latin B), can easily be used to spoof domain names.

Generating IDN Homograph Attacks

We can use many online tools to generate such lookalike domains. Most of them create homoglyphs by using lookalike Unicode characters.

Real-Time Attack Scenario

First, visit this URL: infosecinstitute.com. You will be probably redirected to this site’s homepage.

Now visit this URL: infοѕecinstitute.com. You will be redirected to http://xn--nfsecnstitute-fpj5fx045a.com/

Surprised? That’s exactly what attackers do. They simply register a new domain and then make you believe that you are on the real site. The spoof site may then get passwords and other personal details.

Defending from Homograph Attacks

Most of the defenses against homograph attacks include the display of IDN (internalized domain names) in their Punycode format, thus drastically reducing phishing possibilities. Both Chrome and Firefox have taken adequate measure in their algorithms. ICANN has implemented a policy which prevents registering domains resembling the existing domains.

Conclusion

Though homograph attacks have reduced now, there still remain endless possibilities for attackers to develop more complex spoofing domains. In the end, it goes down to the user to keep eyes open to any danger in the World Wide Web.

You can read what Google has to say about these attacks here.

Posted: July 30, 2018
Ronnie T. Baby
View Profile

Ronnie is at present a 3rd year UG student pursuing B Tech CSE at Karunya University. He is passionate about cyber security and has found multiple bugs in various sites. He has been acknowledged in Google Hall of Fame,Microsoft Hall of Fame, Ebay,Freelancer,Sony, Khan Academy,Oracle Hall of Fame etc to name a few. He is vocal in his support for Net Neutrality. He can be contacted via Linkedin https://linkedin.com/in/ronnietbaby/

In this series
Related boot camps
Ethical Hacking
Advanced Ethical Hacking
CompTIA PenTest+
Cloud Penetration Testing
Mobile and Web App Pentesting