- Homograph attacks are a brandjacking-adjacent threat.
- These attacks rely on the similarity of non-Roman alphabet characters to Roman characters.
- While researchers have developed counters to standard homograph attacks, new attack types have emerged.
In a previous post, we discussed ways that IT managers can prevent brandjacking of their domains and their businesses. The advice in that post is useful, but there is another dimension to brandjacking, and that is the use of homoglyph or homograph attacks by cybercriminals. These attacks are also called international domain names or Punycode attacks. Regardless of their exact name, the idea behind these attacks is simple to explain, with a bit of Internet history.
When the Internet was first created, it was based on using Roman alphabet characters in domain names. This is the character set that is used by many of the world’s languages, but not all of them. As the Internet expanded across the globe, it connected countries where other alphabets were in use, such as Arabic or Mandarin.
The international domain name standards were created to handle non-Roman alphabet characters for domains and URLs. The way you can tell is that the domains begin with the Roman letters “xn-” to indicate the non-Roman characters to follow. This is useful because you don’t necessarily want everyone to learn Roman alphabets if they speak a language that uses other character sets.
The trouble is that many of these characters look very similar to the Roman ones that you and I use in English. For example, the lowercase “a” in Cyrillic looks exactly like the lower case Roman “a.” Spammers purchased domains that looked just like the all-Roman letters, with one or two changes using some other character set. Several years ago, researchers discovered this ploy, and since then all modern browsers have been updated to recognize the homograph attack methods of using “xn–80ak6aa92e.com” instead of “apple.com.” Go ahead, try typing the term into your browser’s URL bar, it won’t be resolved. But back in the day, this would bring up what looked like the ordinary Apple webpage, cleverly copied by some scammer to fool the unsuspecting user.
The homograph attacks differ from ordinary typosquatting: these are domains such as googel.com that are specifically purchased by spammers because of lousy typists who are in a hurry and don’t check their work. Typosquatting is once again in the news with this warning from the FBI about potential phishing attacks using this method that are leveraging the upcoming US election. And this story shows how prevalent typosquatting currently is. Most modern browsers also automatically correct for this, by the way. Isn’t it nice that we have some smart coders who can figure out our foibles? (That is a rhetorical question, don’t answer it.)
New Homograph Attacks Discovered
Most security researchers figured the homograph problem was solved, but of course in the cat-and-mouse world of malware, it is only a matter of time before something tips the balance back to favor the attackers. This was the case with a recent discovery by Malwarebytes about how the Inter skimming malware kit was combined with favicons for a new homograph attack.
Favicons are the small icons that precede the URL text in a browser’s entry field. Most browsers ignore them, but you can still see them if you show your bookmarks list or if you specify the URL that links to them, such as here for Google’s colorful G (shown below). They used to be an indicator that you were browsing the expected site, but now browsers use more sophisticated checks so they have fallen out of favor.
The latest ploy is to compromise the .ico file used to generate the favicon for a site and pack it with a piece of malware. This is a more sophisticated injection attack, where the malware puts code to take advantage of a website. The goal of this type of attack is to abuse a payment webpage and steal your credit card data. The researchers tracked several domains that were using the hacked favicon to gain access to various eCommerce sites.
Fortunately, this story has a happy ending: once the researchers figured out the attack sequence, they contacted the domain owners to warn them. They found that they’d already discovered the skimmer and removed the code. What this shows, however, is the lengths that adversaries will go to in order to compromise your websites, and how you need to be on the lookout for anything suspicious. It also illustrates how the online criminal world continues to evolve, trying to figure out ways to get around our defenses.
There is an important lesson here for IT professionals: watch out for injection-style attacks across your web infrastructure. Every element of your web pages can be compromised, even rarely-used tiny icon files. By paying attention to all possible threats today, you’ll save yourself and your organization a lot of trouble tomorrow.