Almost the same: Zero-day flaw enabled hackers to register fake domains

News by Rene Millman

Bug discovered, that could enable hackers to pretend to be legitimate companies by registering domains using lookalike characters

A zero-day bug has been discovered that could enables hackers to pretend to be legitimate companies by registering domains using lookalike Unicode Latin IPA Extension characters.

An attacker could register a domain or subdomain that appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organisation, read a blog post by Matt Hamilton, a security researcher at Soluble. Anyone could register homograph domain names on gTLDs (.com, .net, etc.) as well as subdomains within some SaaS companies using homoglyph characters.

Over a dozen homograph domains have had active HTTPS certificates over the last three years, he wrote. This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity, he noted.

It was discovered that between 2017 and the present, third-parties had registered and generated HTTPS certificates for 15 of the 300 tested domains using this homoglyph technique. Additionally, one instance of a homoglyph domain hosting an unofficial and presumed malicious jQuery library was found,” Hamilton wrote.

While some homograph attacks using Punycode have been blocked in the past, the Unicode Latin IPA Extension character set hasn’t been until Hamilton’s intervention.

Hamilton said that among the characters that could have been used to fake a domain were the “?”, “g”, and “?” characters. The “gis the most convincing character—often near indistinguishable from its Latin counterpart, according to Hamilton. The ?” (Latin Alpha) is also very convincing, particularly when not adjacent to a Latin “a”.

The “?” (Latin Iota) is the least convincing of the group. On some systems and fonts this character appears very similar to a lowercase “L”, but it’s more often the case that this character can be discerned from its Latin counterpart,” wrote Hamilton.

To demonstrate impact for gTLDs and prevent registration by malicious third parties, he registered a number of domains such as amazon, salesforce and gmail, to name a few.

Since the disclosure, Versign , the registry for the .com, .net, .edu, and several other generic top-level domains (gTLDs), has fixed the bug and has moved to restrict domain registrations using such characters.

"While the underlying issue described by Mr Hamilton is well understood by the global internet community – and is the subject of active policy development by ICANN [the Internet Corporation for Assigned Names and Numbers] – we appreciate him providing additional timely details about how this issue may be exploited," Verisign said in a press statement.

Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.

Hackers get inside networks through a variety of tactics such as social engineering, phishing emails, malicious insiders, zero-days, or a host of other methods including automated hacking tools that are constantly probing for weaknesses, said Saryu Nayyar, CEO of Gurucul.  

“Most attacks can easily defeat conventional perimeter security tools like antivirus or firewalls that defend against yesterday’s threats,” she told SC Media UK.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews