Help Irongeek.com pay for bandwidth and research equipment:
Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing
Adrian Crenshaw AIDE 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)
Out of Character: Use of Punycode and Homoglyph Attacks to
Obfuscate URLs for Phishing
One of the key components users leverage to tell if a URL is part of a phishing
attack is to compare the host and domain name to their expectations for the
legitimate site. Punycode, or more formally the Internationalized Domain Names
in Applications (IDNA) framework as it is used on the Internet, was designed as
a way to map characters that would normally be invalid in DNS host names to
A homoglyphs is a symbol that appears to be the same or very similar to another
symbol. An example most would be familiar with is the letter O and the number 0.
Depending on the font used they may be hard to distinguish from each other. The
letters l (lower case L) and I (uppercase i) are another common example. Where
it becomes even more interesting are the places in Unicode where very similar
characters exist from different languages. Languages that use characters which
look similar to the normal Latin alphabet with diacritic accents, letter-like
symbols and other useable homoglyphs pop up with great regularity, some seeming
to be almost exact duplicates of the same symbol. Cyrillic script is a common
example, possessing very close homoglyphs for a, c, e, o, p, x and y. Even the
Latin alphabet appears twice in Unicode.
The approach we plan to take is fairly simple. The plan will be to generate many
potential attack URLs and then test the following:
1. How different browsers show the Punycode in the URL bar.
2. How different mail systems show the URL when email is displayed.
3. How social networks render the URL.
Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs
the information security website Irongeek.com, which specializes in videos and
articles that illustrate how to use various pen-testing and security tools. He
did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped
once he had to start paying for the tests himself. He's currently working on a
Masters in Security Informatics, and is interested in obtaining a network
security/research/teaching job in academia.