Look twice before уou click by Alexis HIRSCHHORN

Have you noticed anything unusual when reading the headline in the photo? If you did not, be aware that you just have been exposed to a homograph attack. This is nothing new, but we’ve seen an increase in homograph attacks with improved chances of deception in phishing messages and emails.

What IS a homograph attack?

According to Wikipedia:

‘The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike (…)’

To put things into perspective, please have a look at the following domain names. Can you tell the legitimate ones apart from the ones that could potentially be used in a homograph attack?

www.ikea.com vs www.iƙea.com

www.googḻe.com vs www.google.com

www.alịbaba.com vs www.alibaba.com

www.harıbo.com vs www.haribo.com

If you believe all the legitimate domain names are on the same side, you are mistaken, have another good look at it.

Origins of homograph attacks

At the birth of the internet, its development was centered the English language and domain names could only be composed using a limited set of characters, also know as ASCII (American Standard Code for Information Interchange).

With the internationalization of the internet and the reality that English is no longer the most used language on the internet, this limitation was untenable in that it deprived non-Western users of a naming respectful of their usage. For example, how would a Japanese company consider registering its trademark (written in Katakana) in its own country extension if this only allows Latin characters?

Today, more than half of the content available on the Web is in English, a language that represents only 6% of the planet’s population.

It was not until the early 2000s, more than 20 years after the first .COM was registered, that we saw the first domain names containing non-Latin characters. The new standard was named Unicode, boasting 120 000 characters.

New language, new possibilities for abuse.

In 2002, the first demonstration of a homograph attack is carried out by two Technion – Israel Institute of Technology students, who registered <miсrоsоft.com>, using the Cyrillic alphabet’s characters ‘c’ and ‘o’.

While homoglyph domain name registration has been technically possible for years, it was not regarded as a tangible threat until recently. One of the reasons for this is that by default, some browser manufacturers show the Punycode version of the domain name (such as “xn--hotmal-t9a.net“) in the address bar, instead of the native-character version.

Air France and WhatsApp under attack

In February 2018, many users reported receiving a fraudulent advert via WhatsApp in which 2 airline tickets were being given away.

The URL contained in the message was www.airfrạnce.com.

At a quick glance, displayed in a message as www.airfrạnce.com, can look legitimate. Even as I write this, I wonder if someone reading this might initially think there is a speck of dust their screen, rather than suspecting any ‘special characters’ being in play?

Cleverly designed homograph attacks can be extremely hard to catch. This Rolex ad for example:

More and more people are expecting attacks from unsolicited sources.

Sometimes, however, attacks can come from the unlikeliest of sources, as a young Chicago festivalgoer found out after losing her iPhone. She subsequently received a seemingly legitimate text message with a link to what looked like the Find My iPhone webpage, where she entered her credentials. Criminals were then able to access her account and wipe her iPhone clean.

Why homograph attacks can successful

There are many reasons these types of attack can find victims, the most obvious one being humans. We have this extraordinary ability to misinterpret things from time to time, for various reasons. I would say the inability to fully explain this is due to the fact that we still have not been able to fully understand the human brain.

Here are few factors that can greatly impact the success or failure or a homograph attack:

  • The technology displaying the message containing the homograph attack

  • The user’s level of attention when reading the message

  • The user’s stress level when reading the message

  • The user’s vision health

  • The non-Latin characters used in the attack

How do I keep safe?

As with spam, as with phishing, as with all sources of online threats, there are principles that can be applied to protect yourself from being the next victim of such an attack:

  1. Keep a vigilant eye when looking at web addresses: If some of the letters in the URL look unusual, or the website design looks different, rewrite it, copy + paste it or visit the original company URL in a new tab to compare.

  2. Don’t give homographs a chance: Force your browser to display Punycode names

  3. Better safe than sorry: If you have any doubts or are simply curious, click/tap on the padlock to view in your browser’s address bar and inspect the HTTPS certificate.

  4. Too good to be true: If you are being offered a deal, go to the original company site and check if it’s available there as well

  5. Be wary of actions you are asked to take: if the site is pressing you to act quickly or using FOMO, attackers are likely banking on users letting excitement get the best of their common sense

With that in mind, we should remember that the only way a homographic attack can find victims is by making false promises. This is the reassuring part: successful homograph attacks require user intervention.

As the old adage goes, if it sounds too good to be true, it usually is.

Previous
Previous

The LinkedIn leak: What actually happened? by A. HIRSCHHORN