The Homograph Attack. Imagine sitting in front of your computer and, as you’re checking your email, you come across a message advertising a great deal on the Apple iPad. You’ve been wanting to get one so you can give your old one to your child. So, you click the link that goes to https://www.apple.com.
Now you check; is it secure? You see the green lock and the https in the URL. Okay, it’s secure. Is it real? https://www.apple.com is what you see in the browser. So, it must be real.
If you were to have looked closer, you would have seen https://www.xn--80ak6aa92e.com/ not https://www.apple.com.
How is this even possible?
Is It Magic?
According to researcher Xudong Zheng, if you are using Chrome (pre-version 58.0.3029.81), Firefox, or Opera web browsers, you are in danger of being caught off guard by this attack. But why?
It comes down to how these browsers display Unicode characters. Briefly, “Unicode provides a unique number for every character, no matter what the platform, no matter what the program, and no matter what the language” (Unicode Consortium). In other words, every character in the alphabet of every language will be given a distinct number represented by U+Hex (where U+ means Unicode and Hex is the Hexadecimal representation). So, if you combine look-alike letters from the Greek, Cyrillic, Armenian, Latin, etc. alphabets, you can create a visually similar domain as a URL, such as in the apple.com example. (If you want to play around to see what I mean, visit here https://www.irongeek.com/homoglyph-attack-generator.php )
This security concern isn’t new. This was discovered back in 2001, by Evgeniy Gabrilovich and Alex Gontmakher in their paper “The Homograph Attack.” Since some Unicode characters can look the same and, to expand the number of characters allowable in domain names, ICANN employed the use of Punycode instead of Unicode. Punycode is represented by “xn—” followed by the Unicode translation to Punycode. At first, browsers by default were reading the Punycode URL and transforming it back to Unicode (which created another security concern). You can now generate a domain name in Greek, Cyrillic, or another language and then take the Punycode translation and use that for a link. When it displays in the browser it will disguise phishing sites as legitimate sites by displaying the Unicode translation. Such as in the example: https://www.xn--80ak6aa92e.com/ vs https://www.apple.com.
(Now, don’t go buying up domains)
How Can You Protect Yourself?
Browsers like Edge, IE, Safari, and others have solved it by using filters to display the Punycode URL, instead of the Unicode if the URL contained characters from multiple languages. If your default language is set to another language other than English, the browser will display that language in Unicode. Chrome (pre-version 58.0.3029.81), Firefox, and Opera have not done this yet. They still translate the Punycode into Latin alphabet characters which are then displayed.
But if you use Firefox, what can you do? All isn’t lost. Even though Mozilla still hasn’t published an update to fix this issue, you can do the following:
Step 1: Type about:config in the Firefox address bar and hit enter.
Step 2: Type network.IDN_show_punycode in the Search bar and set this option to “true” by double-clicking on it.
If you use Chrome, this has been addressed in the stable 58 update. So, just check your version and make sure you are on the newest update.
If you use Opera…. well, you can click the lock icon next to the URL and it will display a window with the Punycode (see image below). But that’s it (so, if you want to check every URL to see the Punycode to make sure it’s the real deal, that’s how).
It all comes down to being aware and knowing what to do. Here is a short checklist to make sure you stay safe:
- Make sure you don’t click links in emails or documents
- Make sure Chrome and all your browsers are up to date
- If you use Firefox, then make the recommended change listed above
Till next time, stay safe.
