Posted by Virus Bulletin on Aug 14, 2014
Good idea, but unlikely to have a huge impact.
Ever since internationalized domain names (IDNs) were introduced in the last decade, allowing people to use non-ASCII characters in domain names, many in the security field have been expressing their concern about 'homoglyph attacks' (sometimes called homograph attacks). In such attacks, characters in a well-known domain are replaced with visually similar non-ASCII ones.
An attacker could thus register the páypαl.com domain (which is visually similar to paypal.com) and have innocent victims believe they are accessing the official site of the payment facilitator, whereas in fact they are being phished for their login credentials.
In practice, hardly any homoglyph attacks have been seen in the wild, despite the technology having been widely implemented. I think the main reason for this is that if you do attempt to register the páypαl.com domain, you are, as it were, ticking the 'I am going to use this domain for phishing' box. If you were able to get it registered, it would probably not be long before it was taken down.
Moreover, we know that users click links and enter their details on URLs that don't even remotely resemble the targeted domain. (In fairness to such users, especially on mobile devices, it isn't always easy to see the URL of the link one is clicking on, or the full email address of an email's sender.) So there appears to be little need for phishers to go through the process of registering look-alike domains.
That doesn't mean that such attacks couldn't happen. So it is good news that Google has announced it is going to crack down on abuse of IDNs, by implementing the Unicode Consortium's 'Highly Restricted' specification. Put simply, this means that Google will support IDNs in Gmail (and also in the local-part of email addresses), but it will block unnatural combinations of various alphabets.
Still, this doesn't stop an attacker from using pay-pal.com, paypal-super-official.com, paypaI.com or a completely unrelated domain - or from using local DNS modifications to send the correct domain to the wrong server.
Ultimately, a domain name is best seen as nothing but an easy-to-remember pointer to an IP address. If you want more security than that, one should use public key certificates proving the authenticity of the domain, in particular Extended Validation Certificates. These include many checks that make abuse of look-alike domains very unlikely - though ultimately, as with anything in security, not impossible. Welcome to the world of security.
Posted on 14 August 2014 by Martijn Grooten
