One of the most common sneaky tricks on the web is typo squatting. Attackers know that someone trying to type “disney.com” can very easily type “dinsey.com” or “disnet.com” on accident, and they register those domains to redirect those mis-typed domains to a phishing or shady website of some sort. Matt Hamilton, a security researcher with Soluble, published details today of a related zero day, using Latin homoglyph symbols that look like letters to create fraudulent look-alike sites.
In a blog post titled “From Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains,” Hamilton describes how certain Unicode Latin IPA Extension homoglyph characters look very similar to common letters in the alphabet. The Voiced Velar Stop symbol looks remarkably like the letter “g”, the Latin Alpha symbol resembles a lowercase “a”, and the Latin Iota symbol looks similar to a lowercase “L”.
Why is that a problem? Well, attackers can use the homoglyph characters to replace their counterparts in common domain names and create fraudulent or malicious websites. For example, replacing the “g” in washingtonpost.com or an “a” in “walmart.com” would enable an attacker to register a domain that looks virtually identical to the real website and easily lure unsuspecting users into clicking on the link.
Hamilton explains, “Generally speaking, homograph attacks are not novel. This type of attack has been known for many years and domain providers have put mitigations in place. This includes restricting the use of some characters and preventing the use of mixed-scripts, such as Latin and Cyrillic.”
Hamilton discovered that between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates—including prominent financial, and online shopping sites. Digital certificates make it even easier to convince a user that a website is legitimate, which led to the issue being reclassified as a zero day threat and accelerating response. Hamilton and Soluble worked closely with Bishop Fox and notified Verisign and IaaS services (Google, Amazon, Wasabi, DigitalOcean) about the issue before going public with this information.
An exception was made for Verisign. Public disclosure of this issue was delayed by a couple days to allow additional time for Verisign to implement vulnerability mitigations for generic top level domains (gTLDs) before the news was made public.
Verisign issued the following statement:
Safeguarding the stability, security and resiliency of the critical infrastructure we operate is our top priority. While the underlying issue described by Mr. Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited.
Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.
We value the contributions of the security research community to the stability, security and resiliency of the Domain Name System, and appreciate Mr. Hamilton’s responsible disclosure in this matter.
Hamilton also developed a tool that generates domain permutations using homoglyph characters and checking against certificate transparency logs to determine if the domains are registered or active. You can download and check out the tool here.
For more details, I suggest you check out Hamilton’s blog post. It includes a comprehensive Q&A section that addresses pretty much any question you can think of. In the meantime, I also suggest that you look a little more closely before you click. It may look like it says amazon.com, but maybe it says amɑzon.com if you pay attention.