A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing Adrian Crenshaw AIDE 2012 (Hacking Illustrated Series InfoSec Tutorial Videos)

Out of Character: Use of Punycode and Homoglyph Attacks to Obfuscate URLs for Phishing
Adrian Crenshaw

AIDE 2012

 

One of the key components users leverage to tell if a URL is part of a phishing attack is to compare the host and domain name to their expectations for the legitimate site. Punycode, or more formally the Internationalized Domain Names in Applications (IDNA) framework as it is used on the Internet, was designed as a way to map characters that would normally be invalid in DNS host names to valid characters.

A homoglyphs is a symbol that appears to be the same or very similar to another symbol. An example most would be familiar with is the letter O and the number 0. Depending on the font used they may be hard to distinguish from each other. The letters l (lower case L) and I (uppercase i) are another common example. Where it becomes even more interesting are the places in Unicode where very similar characters exist from different languages. Languages that use characters which look similar to the normal Latin alphabet with diacritic accents, letter-like symbols and other useable homoglyphs pop up with great regularity, some seeming to be almost exact duplicates of the same symbol. Cyrillic script is a common example, possessing very close homoglyphs for a, c, e, o, p, x and y. Even the Latin alphabet appears twice in Unicode.

The approach we plan to take is fairly simple. The plan will be to generate many potential attack URLs and then test the following:

1. How different browsers show the Punycode in the URL bar.

2. How different mail systems show the URL when email is displayed.

3. How social networks render the URL.



Bio:
Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He's currently working on a Masters in Security Informatics, and is interested in obtaining a network security/research/teaching job in academia.

Slides:
PPT
PDF

Recorded at AIDE 2012

Download from:
http://archive.org/download/Aide2012/OutOfCharacterUseOfPunycodeAndHomoglyphAttacksToObfuscateUrlsForPhishing-AdrianCrenshaw.avi

Back to AIDE 2012 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast