A French researcher demonstrates homographic phishing

Sep 01, 2016
homograph-fish-1024x380

Despite the widespread notoriety of the processes used in phishing campaigns, they continue to claim victims. In general, acts of fraud can be detected by paying close attention to the URL.

The French researcher Florian Courtial recently demonstrated that this visual verification could be rendered useless by manipulating the punycode characters to create real homographs.

Unicode and punycode


A basic rule governs the world of domain names: it is impossible to insert special characters in a domain name; this means that only alphanumeric characters (a-z, A-Z, 0-9) can be used to generate unicode domain names.

However, a solution was developed to give businesses and internet users with Cyrillic or Chinese keyboards (for example) the ability to create and visit sites with domain names that are compatible with their alphabet. This alternative is called punycode and converts a unicode domain name into an ASCII (American Standard Code for Information Interchange) domain name.

Consequently, the website of the French Academy www.académie-française.fr, which displays and contains the special characters “é” and “ç”, is converted into an international domain name (IDN) by browsers and actually bears a URL that is quite different: www.xn--acadmie-franaise-npb1a.fr.

The conversion of international names is actually totally transparent because it is performed automatically by most recent internet browsers. It is this detail that is exploited by hackers.

Modus operandi


First of all, the hackers must maintain control over the URLs displayed in order to hide the international domain name (leading to a fraudulent site) behind a legitimate unicode domain name.

To do this, the social networks come in very useful because they convert the IDN themselves. Florian Courtial illustrates this practice in a posting on Facebook.

facebook-idn-attack-before-post.width-800

The international domain name displayed when drafting the message

facebook-idn-attack-after-post.width-800

Text displayed by Facebook after posting. The “a” is actually a Cyrillic character

A trap that is almost imperceptible


As the researcher demonstrates, at first view, there is no noticeable visual difference between “www.paypal.com” and “www.раураІ.com”. However, when the text is copied and pasted into one’s browser, the result is quite different. The first link directs you to the official site of the online payment platform while the second directs you to a phishing site, which is harmless as it was specially created by Florian Courtial for the purpose of the demonstration.

In actual fact, the domain name of the phishing page is none other than an international domain name (http://www.xn--80aa0cbo0j.com) made up only of Cyrillic characters.

To guard against this kind of attack, this discovery by the researcher acts as a reminder to constantly pay attention to the URL address bar of the browser, particularly when sharing links on the social networks. If in doubt, it is advisable to check that the SSL certificate, in HTTPS, corresponds to the website in question because, as Florian Courtial points out, the green padlock does not guarantee the good reputation of a website. Indeed, in the example of the fake PayPal demonstration website, the researcher could easily have added a (false) certificate to the phishing page in order to acquire the icon in question.

As for the social networks, they unwittingly, and without the knowledge of their users, assist hackers by not implementing counter-measures that prevent the automatic translation of IDNs.

Finally, this type of attack also marks a change in the modus operandi of cyber-fraudsters who, without dropping so-called traditional phishing or spear phishing techniques, are turning to areas that are more likely to result in undifferentiated propagation on a massive scale, i.e. the social networks.