[ISN] Experts: International domain names may pose threat

InfoSec News isn at c4i.org
Tue Feb 8 03:53:55 EST 2005


By Paul Roberts
IDG News Service

Security experts are warning about a new threat to Web surfers:  
malicious Web sites that use international domain names to spoof the
Web addresses of legitimate sites.

The new trick is a variation of a known technique called the
"homograph attack" and takes advantage of loopholes in the way some
popular Web browsers display domain names that use non-English
characters. It could allow malicious hackers and online identity theft
groups to trick unsuspecting users into divulging sensitive personal
information, according to advisories from The Shmoo Group, a hacker
collective, and Secunia.

The warning was published after a demonstration of the new kind of
homograph attacks at ShmooCon, a hacker convention in Washington, D.C.  
Secunia, of Copenhagen, issued advisories on the new issue for users
of affected browsers and declared the issue "moderately critical."

Homograph attacks are a well-known trick in which character
resemblance, for example, between the letter "O" and the number "0" is
used to fool users into thinking that a bogus Web site actually
belongs to a legitimate company. For example, malicious hackers might
register the domain www.pcw0rld.com and design it to mimic the popular
computer news Web site.

The latest threat was first described by Evgeniy Gabrilovich and Alex
Gontmakher, computer science students at Technion, the Israel
Institute of Technology. The attack takes advantage of changes
supported by Internet standards bodies such as the Internet
Engineering Task Force (IETF) to allow domain names to be registered
in national alphabets using non-English characters. The new
Internationalized Domain Name (IDN) program makes it easier for
non-English speakers to use the Web but also creates opportunities for
malicious hackers, Gabrilovich and Gontmakher wrote.

For example, attackers could register a Web domain bloomberg.com,
which looks identical to the popular business news Web site, but in
which the letters "o" and "e" have been substituted with
identical-looking substitutes from the Cyrillic alphabet, used in the
Russian language, creating a new domain, the authors said (see here .)  
In another example, the authors registered the domain
www.microsoft.com, in which the English letters "c" and "o" in that
domain were substituted with their Cyrillic counterparts.

Links to the bogus Web sites in e-mail messages could be disguised by
hiding the actual URL with non-English characters, such as
"http://www.p.ypal.com," in the HTML code of the e-mail message.  
Affected Web browsers would make the trick work by cleaning up that
URL and displaying it with the international character. In this
example, it would look like www.paypal.com, said Dan Hubbard, senior
director at WebSense.

Some popular Web browsers, including The Mozilla Foundation's Firefox
1.0, Apple's Safari Version 1.2.5 and Opera Software ASA's Version
7.54 browser all render the IDN characters in a way that could be used
in an attack, according to details released by The Shmoo Group.

Ironically, Microsoft's Internet Explorer browser, a popular target
for Web-based attacks, is not vulnerable to the IDN homograph attack,
The Shmoo Group said.

The homograph vulnerability has been talked about for a long time but
has not been commonly used because Internet domain name registrars
didn't support IDN. Now that many registrars do support it, the
homograph attacks carry more weight, Hubbard said.

"It's just another method for phishers to use," he said.

The vulnerability will be particularly useful for attacking Web
surfers who are using browsers other than Internet Explorer, and
phishing scam artists may develop scams to use it when they detect
that a potential victim is on a browser other than IE, he said.

Web users were advised not to follow Web links from untrusted sources
and to type in Web domains manually when in doubt. Internet users can
also cut and paste suspect Web links into Windows Notepad or other
text readers to see what character set the URL is written in, The
Shmoo Group said.

FireFox supports IDN by default, but users can disable it by typing
about:config into the browser's address bar, locating the
network.enableIDN option, and double clicking on it to set it to

More information about the ISN mailing list