Keeping safe from Homograph Attacks

With the security landscape constantly changing, it can be hard to keep on top of the latest threats. We would therefore like to draw your attention to homograph attacks where Internationalised Domain Names (IDN) are used to masqauraed as legitimate domains. We have seen a wave of these attacks against small to medium businesses across a wide range of industries so nowhere seems to be targeted specifically.

In practice, this attack makes it much harder to tell the difference between legitimate and spoofed links in emails, office documents etc. Even savvy, well trained staff that are aware of phishing risks can potentially be fooled into clicking on malicous links containing domains which are not what they purport to be.

What is an IDN?

IDNs are domain names that, wholly or partly, use characters from a non-latin script (alphabet), which are encoded using the Unicode standard. For the Domain Name System (DNS) to be able to “read” them correctly, IDNs are stored in the DNS as regular ASCII strings using Punycode transcription.

“Punycode can represent Unicode characters using the limited ASCII character set – for example, my localized domain žugec.sk is actually a domain xn--ugec-kbb.sk,” Martin Zugec, Technical Solutions Director at Bitdefender, explained.

So for example the punycode domain "xn--80ak6aa92e.com" would show as "аррӏе.com" when displayed using Unicode, which could easily lead to someone being tricked into visiting it as it is visualy very similar to "apple.com".

Spoofed IDN homograph domains are created by combining characters from these different non-latin alphabets, which to the end recipient look so similar to another letter that they can make differentiation almost impossible. This can then be leveraged in a phishing attack to install malware or steal login credentials.

“Homograph attacks are not a new concept,” Zugec comments. “Over the years, there have been multiple attempts to solve this problem. Today, we rely on a combination of domain registration vetting and awareness built into client applications as the two most common methods to prevent the risk of these attacks.”

Those checks aren’t perfect though and so they cannot be relied upon to protect against this type of attack

The Office weakness

Most web browsers will show the ASCII representation of an IDN (such as https://xn--n1aag8f.com from Zugec's example) in the address bar, instead of the display name such as žugec.com if the site is considered suspicious. But, as Bitdefender researchers discovered, Microsoft Office applications (with the notable exception of Teams) will show the display name!

This makes it hard for employees to tell whether links embedded in Office documents are legitimate and so represents a serious risk for your business!

Protection

This is another key area of cyber security which is essential to having a good handle on in order to ensure that your staff or even yourself don't fall victim to a homograph attack. Freethought suggests three key areas of protection:

• Endpoint protection
• Multi Factor Authentication (MFA)
• Training

Endpoint protection needs to be a holistic package including up-to-date applications, antivirus, web filtering and antimalware. This is the first line of defence against any attack!

MFA is the second level of protection that helps to limit the damage should some get tricked into handing over their login details.

Lastly, staff training helps to reduce the chance of someone getting tricked in the first place. Training can be done via online videos or trhough in-person training and may even include simulations.

To keep up to date with all our hints and tips simply sign up below!