Cyrillic Characters Are Favorites for IDN Homograph Attacks

Cyrillic (Russian alphabet) characters are the most common characters used in IDN homograph attacks, according to research published last month by Farsight Security.

IDN stands for internationalized domain name, and is a domain name spelled out using non-Latin characters, such as Cyrillic, Greek, Chinese, or Japanese letters.

IDNs domains have been introduced in 2010, but they have started to catch on only in recent years, as more website owners realized they could own a domain spelled in their native language.

But as the technology became more popular, so did its potential for abuse. One of the most common way IDN support in browsers is being abused is for phishing attacks, where miscreants register websites that use Latin-looking non-Latin characters in an attempt to trick the user into thinking he’s navigating on a legitimate website.

This is done by using “confusable” characters, which are letters that look the same and are found in different alphabets. [Full list of Unicode confusable characters, as published by the Unicode Foundation].

IDN confusables

The use of IDNs with confusable characters in an attempt to mimick a well-known website or brand is something what security researchers call a homograph attack.

The Farsight Security team has recently conducted a study on the prevalence and popularity of homograph attacks on the open web.

The company said it scanned the Internet during a 12-month period between May 2017 and April 2018 looking for domain names that used international characters in one way or form.

Nearly 100 million IDNs in use today

Farsight says it found 99,432,594 IDNs during its scans of DNS caches, but focused on IDNs targeting 466 top global brands across 11 vertical sectors ranging from banking to retail to technology.

Researchers say they found 35,989 domains which tried to imitate those 466 brands with lookalike domains, used confusable characters, and looked like an attempted homograph attack.

IDN homograph-looking domains

Over 91% of these domains lead to a website, meaning someone had either used them, or was preparing to use them in the future.

Some domain registrars broke ICANN rules

The vast majority of these malicious-looking IDNs were also registered in one alphabet alone, with crooks trying to reproduce or mimic a brand using one set of characters only.

By far the most popular character set was Cyrillic, mainly due to its close resemblances to normal Latin and shared character pool.

The prevalence of one-alphabet IDNs was because according to ICANN guidelines on internationalized domain names, domain registrars should not allow a user to register a domain using mixed alphabets, as a precautionary measure against homograph attacks.

But according to researchers, not all domain registrars have been enforcing this rule. Farsight says it found hundreds of IDNs with mixed character sets.

The use of mixed Latin and Cyrillic characters appears to have been the preferred method of disguising an IDN homograph attack, followed by the mixing of Latin and Greek characters, and Latin, Greek, and Cyrillic.

IDN mixed domains

Intra-label mixed script homographs are especially troubling for two main reasons:
    1) Their possibility allows for much more sophisticated and difficult-to-spot homographs than any single script
    2) They greatly increase the potential homographic namespace for a brand, making defensive registrations much

Users looking to stay safe from homograph attacks can install Chrome and Firefox extensions that can detect IDN homographs, while sysadmins can use a Facebook-made tool to detect IDNs registered based on their company’s brand name.

The full 22-page Farsight Security study regarding existing internationalized homograph-looking domain names is available for download here, with additional research and data on adjacent topics.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top