Since 2009, the Domain Name System has supported URLs that contain non-ASCII, Unicode characters from Cyrillic, Chinese, Arabic, etc. Even symbols are now included. Although it’s certainly commendable that many additional global Internet users can now navigate the web in their native languages, security professionals must be aware of how these increasingly popular Internationalized Domain Names (IDNs) are adding to malicious actors’ toolsets. LogRhythm Labs is quickly implementing Advanced Intelligence Engine Rules to protect customers from their misuse. We have also summarized research into a few of the security ramifications of IDNs below.
The most obvious set of problems posed by IDNs are known as “Homographic attacks”
Unicode introduces many characters that are technically distinct, yet visually identical to common ASCII characters. This allows malicious actors to register domains that look exactly like or at least very similar to a legitimate domain. For example, a quick glance at ‘logrhythµ.com’ may register as ‘logrhythm.com’ to an unsuspecting user, depending on the font. Even worse, characters like the Cyrillic ‘a’, ‘c’, ‘e’, etc, appear identical to their Latin equivalents. Thus, relying only on the naked eye, it’s very easy to fall victim to a phishing attack.
Punycode is the mechanism by which the ASCII-only DNS system implements Unicode. For example, a domain that appears as ‘logrhythm®.com’ in Unicode will be represented as ‘xn--logrhythm-cma.com’ in Punycode/ASCII. Considering both version contain the string ‘logrhythm’, this domain may appear legitimate in both Unicode and Punycode, depending on how savvy the user is, and so has an increased chance of resulting in a successful phishing attack.
Additional Security Problems
Top Level Domains (TLDs) utilizing Unicode were also approved by ICANN in 2009. Certainly there are groups of Top Level Domains (TLDs) that have an unusually high percentage of known associations with malicious activity — ‘.ru’, ‘.cc’, ‘.su’, etc. At least one of the new ITLDs, ‘.рф’ (‘xn--p1ai’) for the Russian Federation, has shown a similarly high frequency of malicious activity. This includes a significant amount of redirects to Blackhole Exploit Kit landing pages. Unless a non-Russian organization can expect a large amount of traffic to ‘.рф’ domains, any amount will likely be suspicious.
Finally, IDNs allow for an even larger set of throwaway domains created from Domain Generation Algorithms (DGA) — instead of 95 printable ASCII characters, over 110k possible Unicode characters can be used for infinite combinations. Fortunately, this activity can be detected by looking for mixed combinations of Unicode character sets. For example, seeing Cyrillic and Chinese characters together in the same domain name should be exceedingly rare.
Although larger companies may try to protect their customers by registering all potential combinations of the homographic attacks listed above, Unicode’s large character set has made this approach nearly unfeasible. This leaves each individual or organization to their own devices for detection and prevention. Fortunately, LogRhythm, in combination with a network monitoring device or IDS, can significantly aid in detecting such malicious activity.
 Evgeniy Gabrilovich and Alex Gontmakher, The Homograph Attack, Communications of the ACM, 45(2):128, February 2002
none | Uncategorized