Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing Adrian Crenshaw AIDE 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)

Feel free to include my content in your page via my
RSS feed Follow @irongeek_adc

Help Irongeek.com pay for
bandwidth and research equipment:
Subscribestar or Patreon

Search Irongeek.com:

Affiliates:

Help Irongeek.com pay for bandwidth and research equipment:

Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing Adrian Crenshaw AIDE 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)

Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing
Adrian Crenshaw
AIDE 2012

One of the key components users leverage to tell if a URL is part of a phishing attack is to compare the host and domain name to their expectations for the legitimate site. Punycode, or more formally the Internationalized Domain Names in Applications (IDNA) framework as it is used on the Internet, was designed as a way to map characters that would normally be invalid in DNS host names to valid characters.

A homoglyphs is a symbol that appears to be the same or very similar to another symbol. An example most would be familiar with is the letter O and the number 0. Depending on the font used they may be hard to distinguish from each other. The letters l (lower case L) and I (uppercase i) are another common example. Where it becomes even more interesting are the places in Unicode where very similar characters exist from different languages. Languages that use characters which look similar to the normal Latin alphabet with diacritic accents, letter-like symbols and other useable homoglyphs pop up with great regularity, some seeming to be almost exact duplicates of the same symbol. Cyrillic script is a common example, possessing very close homoglyphs for a, c, e, o, p, x and y. Even the Latin alphabet appears twice in Unicode.

The approach we plan to take is fairly simple. The plan will be to generate many potential attack URLs and then test the following:

1. How different browsers show the Punycode in the URL bar.

2. How different mail systems show the URL when email is displayed.

3. How social networks render the URL.

Bio:
Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He's currently working on a Masters in Security Informatics, and is interested in obtaining a network security/research/teaching job in academia.

Slides:
PPT
PDF

Recorded at AIDE 2012

Download from:
http://archive.org/download/Aide2012/OutOfCharacterUseOfPunycodeAndHomoglyphAttacksToObfuscateUrlsForPhishing-AdrianCrenshaw.avi

Back to AIDE 2012 video list

Printable version of this article

15 most recent posts on Irongeek.com:
OISF 2023 Videos

OISF 2022

Brian Rea (DeviantOllam Deviant) and Lesley Carhart (Hacks4Pancakes) continue their harassment of me

OSInt, Doxing And Cyberstalking Page Updated

OISF 2021 Videos

BSides Cleveland 2021 Videos

Who's Your Hacker

BSides Tampa 2020 Videos

Louisville Infosec 2019 Videos

BSidesCT 2019 Video

GrrCON 2019 Videos

BSidesSTL 2019 Videos

DerbyCon 9 Videos

OISF 2019 Videos

BSides Cleveland 2019 Videos

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.