ɑmɑzon.com or amazon.com: Which One Would You Click?
By Warren Domingo on March 6, 2020
Introduction
Domain name spoofing is a popular technique used in phishing campaigns to trick people into clicking on a malicious link. There is typosquatting that use slight misspellings of a domain name, and homograph spoofs that substitute characters in the domain for similar looking characters. Domain characters use Latin scripts and are commonly spoofed using scripts from ASCII, Cyrillic, Greek, and Armenian. For this reason, domain registries like Verisign prevent mixed-script domain names. However, as shown in a zero-day, convincing spoofed domains could be registered through Verisign and used in a future phishing attack.
Vulnerability
Verisign does not allow the use of mixed-script domain names. Characters from both Latin and Greek, for example, cannot be used to register a domain. However, Verisign allows a mix of Unicode and Latin characters if the Unicode character is Latin. This allows for the use of “ɡ” (Voiced Velar Stop), “ɑ” (Latin Alpha), and “ɩ” (Latin Iota). The use of these characters may also be allowed on other domain registries not tested during the study.
Impact
These domains would be used in a phishing email or large scale social-engineering attack. Using a domain that looks very similar to the real one can get individuals to click and visit pages with malicious intent. The possibilities are endless, ranging from a malware dropper to information gatherer when prompting for credentials.
Mitigation
Since the reclassification of this vulnerability to a zero-day, some domain registries like Verisign have treated the situation more seriously and implemented mitigations preventing the use of the outlined homoglyphs. Not all registries have, as DigitalOcean has stated that they see this as a very low threat at the time and have not released information on a patch. Amazon now prevents the registration of bucket names using Unicode homoglyphs for their web services. Other IaaS providers like Google, Wasabi, and others not listed have no updates at this time and may still be vulnerable.
Relevance
This vulnerability was reclassified as a zero-day after researchers were able to register 27 major brand domains using homograph characters. Additionally, it is estimated that this specific spoofing technique has been around since 2017 and when testing 300 domains using this technique, 15 have HTTPS certificates.
References:
[1] Bleeping Computer, “Zero-day Bug Allowed Attackers to Register Malicious Domains”, March 4, 2020. https://www.bleepingcomputer.com/news/security/zero-day-bug-allowed-attackers-to-register-malicious-domains/
[2] Security Week, “A Zero-Day Homograph Domain Name Attack”, March 4, 2020. https://www.securityweek.com/zero-day-homograph-domain-name-attack
[3] Soluble, “Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains”, March 4, 2020. https://www.soluble.ai/blog/public-disclosure-emoji-to-zero-day
[4] Zverlo, “What is an IDN Homograph Attack and How Do You Protect Yourself?”, November 8, 2018. https://zvelo.com/what-is-idn-homograph-attack-protect-yourself/