IDN Homograph Attacks

How a Russian spammer registered ɢoogle.com

Brandon Louder

January 05, 2017 - Posted by Brandon Louder to Security News

A friend recently brought to my attention that the Google Analytics report for his website was showing that 18% of his visitors had the below message showing up under the language field. Typically, this field shows language abbreviations depicting the native language of the visitor to the site such as: “en”, “es”, “fr”.

“Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!”

Google Analytics Screen Shot

Looking beyond the political aspect of this message, there are two issues here. The second being the most unsettling:

  1. First of all, it is not uncommon for spammers to target Google Analytics with messages that incite the website owner to follow the link. This specific spammer has been active with this campaign for several months now. Google Analytics spam can be quite annoying since it distorts the reporting. There are quite a few write ups available online you can use to reduce the bot traffic to your sites as well as the spam that shows up in your reports.
  2. The most concerning issue here is that this crafty individual (in Russia) has successfully registered the domain “ɢoogle.com” for his own use. You might be thinking, “How did they get Google’s domain?” Take a closer look at it, notice anything odd in comparison to the real “google.com” domain? That is not an actual capital G in the spam message, it is Unicode character 0x0262 which is the Latin Letter Small Capital G.

This is what is called an International Domain Name (IDN) Homograph Attack, an advanced phishing method used to deceive users into communicating with a website or domain by exploiting the fact that different characters look alike. The individual behind the “ɢoogle.com” domain was able to obtain it by registering the Punycode domain name “xn--oogle-wmc.com.” Since IDNs use Punycode transcription to convert Unicode to ASCII characters, the domain name ends up being stored in DNS as “ɢoogle.com.” So unsuspecting users thinking that they are clicking on a link for google.com will actually be connecting to “xn--oogle-wmc.com.”

There are some IDN homographs that are impossible to distinguish between the original when relying on human interpretation. As an example, looking at “wikipediа.org” you won’t notice any difference from the real Wikipedia domain, however, the last “a” is Cyrillic Small Letter A and the underlying domain is actually “xn--wikipedi-86g.org.” You can validate this yourself by using a web-based tool called Punycode Converter.

Most users are accustomed to checking domain names in links before they click on them, but relying on that as a countermeasure is not adequate when these advanced phishing methods are employed. An attacker could easily setup a fake website and capture user credentials as they try to login while making the web address and site content both appear to be real.

So how can you defend against such attacks? You could register all homograph iterations of your domain so they are not available to be misused. Registering that many domains might not be practical for some organizations, but for Google, in hindsight, it would have saved them a lot of trouble. Alternatively, you could also monitor those domains for registration activity that would indicate an attack is being planned. To protect internal users the simplest method is to disable IDNA support in your web browsers. Doing so will block access to non-ASCII domain names but will still allow the underlying Punycode domains to continue to be used which removes an attacker’s ability to spoof the real domains.

References:

https://www.punycoder.com

https://dnsquery.org/whois/%C9%A2oogle.com

Remove Google Analytics spam:
https://support.google.com/analytics/answer/1034842

https://megalytic.com/blog/how-to-filter-out-fake-referrals-and-other-google-analytics-spam

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS