Photographee.eu - Fotolia

How are hackers using Unicode domains for spoofing attacks?

A proof of concept showed that hackers can use Unicode domains to make phishing sites look legitimate. Expert Matthew Pascucci explains how this spoofing attack works.

A security researcher published a proof-of-concept attack that leverages vulnerabilities regarding Unicode domains in major web browsers. According to the researcher, attackers can use Unicode domains to make phishing sites nearly indistinguishable from legitimate sites. What's the issue here, and are there any tactics to better detect these malicious sites?

Trust is a necessity in cybersecurity, and it's one of the main reasons attackers continually try to exploit this emotion when assaulting networks.

We put a lot of time and defensive effort into verifying that a particular party on the internet is who they say they are, and we do this with good reason. But because of this need for trust, attackers rely on spoofing as a standard method of exploitation. The more an attacker can deceive someone, the higher his probability of success, or cover, while attempting an exploit.

Here is where the recent proof of concept that shows attackers can abuse Unicode domains to look like legitimate sites comes into play. Attackers are able to trick users into clicking on particular links that look like they are from legitimate domains, but that actually lead to malicious sites.

This deception works because many letters look very similar within Unicode domains, especially within Latin and Cyrillic character sets. There is no distinguishable difference between many of these letters to the human eye, but computers treat them differently, and attackers use this to their advantage.

By registering these Punycode domains -- domains rendered in the American Standard Code for Information Interchange (ASCII) after having non-ASCII characters associated with them -- an attacker can have the domain xn--tst-6la.com registered, which resolves to test.com in ASCII. These types of spoofing attacks are called homograph attacks.

This particular issue was deemed a bug by Internet Explorer, Chrome and Opera, all of which either pushed out updates to remediate the issue or are working to have one released shortly. As of this time, Firefox has stated that the problem is with how registrars enable users to register domains in this manner, and it isn't taking a stance on remediating the issue. There is a workaround in the Firefox about:config settings that enables Firefox users to at least identify the malicious Punycode domains in the browser.

There will always be attackers looking to prey on your trust, and this is nothing new. This emphasizes the need to validate that URLs are only from trusted third parties, but not knowing if they're trusted is an issue. Validating SSL certificates for sites with browser plug-ins and eventually having the internet embrace Domain Name System Security Extensions can stop these types of attacks from occurring.

Spoofing is nothing new, and there will always be attackers looking to gain an advantage by misleading and deceiving users for malicious purposes. This particular attack is difficult to defend against, but with an updated browser that remediates the spoofing ability of Punycode, and by being extra diligent with third-party links, you'll have the best chance to avoid it.

In the meantime, update your browsers if possible, and be careful clicking on links from third-party sources.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to educate users to avoid email phishing attacks

Check out how address bar spoofing vulnerabilities can be prevented

Discover how phishing emails spoofing top-level domains can be avoided

Dig Deeper on Application and platform security