|Homograph Spoofing Attack|
IDN TLD Testing now underway...
2006-11-21 - Web chief warns of domain name chaos
Introducing non-English letters to addresses may 'break the whole Internet'
Homograph Spoofing Attack
This should be interesting! A recent topic from garrybetting was the perfect opportunity for me to don the "Tin Hat" but apparently it was not the right topic for discussing this. So, I felt a new specific topic just for Homograph Spoofing would be in order. With the approval of IDNs recently and now the testing phase, I do believe we as Internet Marketers and Webmasters are going to be faced with a new level of search sabotage and phishing that makes the current methods look like amateur stuff.
|IDN Domains are "Internationalized Domains Names", they make the use of special non-English characters possible (i.e. Umlauts like "ä", "ö" und "ü", other European Characters like "á", "é", "í"). These domains are subject to many temporary technical restrictions, for example users need an IDN compatible browser to visit them. |
2008-06-28 - URL's in foreign languages
When will foreign language URL's exist?
In the above topic, garrybetting asks "When will foreign language URLs exist?"
They are testing them right now. I think some of us missed the recent announcement about this as it was somewhat buried in all the other hubbub about ICANN approving the "other" new TLDs.
Welcome to the IDN TLD evaluation gateway!
|These TLDs can be accessed by clicking on the links in the first column in the table. However, as with any other IDNs, if they are typed or copied and pasted directly into the address line of a browser, they will only work if that browser has full support for IDN. |
I've been reading about IDNs now for the past couple of weeks almost every single day. In the process of that, we uncovered some interesting stuff. I'm doing further research this weekend and into the near future to fully understand the impact of IDNs. I do know that we uncovered what appears to be a PayPal phishing domain and we're a bit surprised it is out there and currently for sale...
Can someone explain to me what is happening here?
Some of you know I'm on this mission to get so freakin' technical my brain hurts right now. In the process of our research, we uncovered the above. My programmer spent about 30 minutes and whipped up an example of Phishing using the above URI which resolves. It was rather convincing if you ask me. Does PayPal know about this stuff?
I would really like to know what is taking place above. I was shown something using the above domain that would surely cause some challenges for PayPal. I'm still going through some different combinations using various characters and am running across some interesting stuff. Not a lot, but enough to start sending signals through me "Tin Hat". Ting, ting, ting...
Why does the above resolves to a parked PàyPal page at Sedo? And, it is for sale for 10,000 GBP ($19,817.00 USD)? Something isn't right...
I've been playing with that IDN Registration Search tool from DynaDot. Why is it that some of my domains are registered with certain characters? And, why can't I see those? Where are they? I'm confused? And why does it show these xn-- domains as being available?
And what the heck is up with the PàyPal example above? How does that happen?
[edited by: tedster at 9:28 pm (utc) on July 4, 2008]
[edit reason] edited by member request [/edit]
|I thought you couldn't register these xn-- domains? And why does it show these xn-- domains as being available? |
Okay, it has been explained to me exactly what I was seeing with the xn--. Actually it was explained during our initial research and I just forgot about it. :(
It is referred to as Punycode, we can get into that later in detail as it will become a word that many of us may reference as we move into the future of IDNs.
A note for PayPal. Not only does the first reference provided resolve, so does this one...
It too is for sale...
|The seller has listed the domain in GBP. The sum of 10,000 GBP is currently equivalent to approximately 19,817 USD. |
That's two for two. Let me see how many other brands I can uncover in this network of homographic domains. How many more am I going to find like this? I mean, if I found two for PàyPàl, what exactly does this mean for other brand domains? Am I way out in left field with this? I could only find three references to homograph when searching WebmasterWorld which tells me this is "rarely" discussed since IDNs were not a reality at the time. Now that they have been approved, I think we need to get the air cleared about what some of us may begin to find, including myself.
<added>Oh my! News at 2300...
|I think we need to get the air cleared about what some of us may begin to find, including myself |
It's just typosquatting though P1R. It's pretty rarely (at the moment ;)) that users type accented characters and the like into their address bar, so thus far, no-one really seems to care (added to the fact that no-one wants their users ending up at xn-- names).
For phishing emails they're the choice of the connoisseur, but IMO phishing needs an entirely different solution than avoiding lookalike domain names.
|It's just typosquatting though P1R. |
Really? Probably so in this instance but why isn't PayPal's brand division on this? That parked page shouldn't be there and that domain surely shouldn't be for sale, or should it? Especially now that IDNs are a reality? I don't know about you, but this comment from ICANN chief executive Paul Twomey in 2006 November concerns me as I travel into the abyss...
|Poor implementation of foreign domain names may also pose security risks, whereby fraud artists could create websites with names that appear identical to current English language sites, but in fact replace some of the English characters with similar-looking foreign characters. |
As a result, users may think they're on the legitimate version of the site, when in fact they're visiting a fake created by fraudsters looking to steal their personal details.
In light of this, ICANN is working closely with developers to ensure that applications such as web browsers and e-commerce software are upgraded so that they can handle the slew of potential new web addresses.
A resolution on the issue is expected to be reached by the end of 2007.
Shall I take all this with a grain of salt and just accept that someone may be typosquatting my brand and using it for something I'm not aware of? I know, I know, I dig too deep into this stuff. But, I wonder just how prepared the Internet is for the new IDNs and what potential issues are going to be present for existing brands like the PayPal example above.
I still cannot accept the above as someone "just typosquatting". You don't purchase a brand name like that with a homograph and just park it knowing that people are not going to be typing in homographs. No, I find that one hard to fathom. I won't guess any further on that one as I'll only travel deeper into the abyss as they say. ;)
Oh, here's something else to chomp on...
|In general, this kind of attack is known as a homograph spoofing attack. This problem was anticipated before IDN was introduced, and guidelines were issued to registries to try and avoid or reduce the problem – for example, recommending that registries only accept the Latin alphabet and that of their own country, not all of Unicode. Unfortunately this advice was not followed by those in control of a number of major TLDs. |
And, do you know which of the TLDs has been open for IDN registration since 2004 March? .info! Yes, that's right, that cheap four letter TLD that Google banned not long ago by mistake. Ting, ting, ting...
|I still cannot accept the above as someone "just typosquatting" |
Call it cybersquatting, Version 2.02 or exploitation Version 353,357,743.03.
Another day. Another dollar. Business as usual.
|Another day. Another dollar. Business as usual. |
Okay, that's two of you that I have great respect for just blowing this off. One more and I'll stop all the digging so I can move onto other more important things in life. ;)
It's actually an interesting, valid and valuable observation and whistle-blowing about the future of fraud on the Web.
The question I have is once you have made the observation and sounded the alarm what else will you do OR what else would you have other people do?
What would you have ICANN or any other regulatory agency do?
Compare your concern to existing domain exploitation practices "of concern". It has been public knowledge, for years, that there are people who cannot resist registering typosquatting domains. Has this caused the big brands to engage in the practice of defensive domain registration? Sure, a few, but most did nothing except file the occassional WIPO complaint.
I'm not a fan of being nonchalant about fraud, so your zeal for this issue is refreshing and inspiring, but - BUT - tell us all what we should do to bring about a change that will avoid the impending problem.
Notify ICANN? Maybe they are that clueless? They sure acted like impotent potentates when it came to domain tasting, didn't they?
Where do we go with this? What's the strategy or plan of action?
[edited by: Webwork at 4:15 pm (utc) on July 5, 2008]
|It's actually an interesting, valid and valuable observation and whistle-blowing about the future of fraud on the Web. |
So, you callin' me a Snnitch? ;)
|The question I have is once you have made the observation and sounded the alarm what else will you do OR what else would you have other people do? |
Awareness? I guess that's all we can do at this point. A few notable names have brought this to the public's attention but not in any high volume due to IDNs not being a reality at that time. Now they are.
|What would you have ICANN or any other regulatory agency do? |
Provide more public awareness on the potential challenges for website owners worldwide. I'll guess that will happen now as they test the new IDNs, I'm looking forward to more research on it.
|Has this caused the big brands to engage in the practice of defensive domain registration? Sure, a few, but most did nothing except file the occassional WIPO complaint. |
Understood. But tell me, is typosquatting "just" typosquatting?
|I'm not a fan of being nonchalant about fraud, so your zeal for this issue is refreshing and inspiring. |
Thanks Webwork, I just had to get out of the other mindset for a bit and jump over to this "other side" to see what may be happening now that the IDN space is open for grabs. I'm not worried about the .seo types. I'm more concerned about the séó types. ;)
|But - BUT - tell us all what we should do to bring about a change that will avoid the impending problem. |
Awareness? Discussion at the fora level? All that neat stuff?
|Notify ICANN? Maybe they are that clueless? They sure acted like impotent potentates when it came to domain tasting, didn't they? |
I don't want to knock ICANN as they surely have their hands full now. I mean, they just opened up the new Wild West of the Internet with this latest fiasco.
|Where do we go with this? What's the strategy or plan of action? |
Oh, we're doing some testing, tasting, etc. It is unfortunate as some of the examples I've managed to backtrack so far lead back to the .cn ccTLD and I'm not going there. Which leads me into the series of topics I have going discussing the tracking of 400 and 500 errors and the banning of 75% of the planet here in the year 2009. If I'm a "Geo Based Business", I have no requirement for anything outside my geography and/or my "targeted geography". So, for the year 2009, our new mantra will be GeoBanning.
Since we don't "fully understand" the potential of risk just yet, I want to make sure that "I" batton down the hatches as they say. We are moving to Material Condition Zebra for the new year.
|is typosquatting "just" typosquatting |
By definition, yes ;)
For some sites (major brands) typosquatting is a serious problem, and requires a budget and technical team to match.
For most sites even the basics like getting the major TLDs and hyphenated versions are ignored. But there hasn't been a great deal of impact. And so the sky has not fallen yet ;)
The way website security seems to work is to wait for the horse to bolt. But then, most sites have no technical expertise behind them, and are unable to combat the problem. Most sites don't get hacked, or are the victim of phishing, and those that do are then forced to learn. My last round of sql injection scanning didn't turn up too many surprises (although plenty of sites open to compromise).
"Just" typosquatting is a case of perspective. From where I'm sitting, typosquatting has no impact. I can fix it if there's a business case for it, and I sanitise my emails. Clearly for some sites, typosquatting is a major headache, starting with mistypes, l33t sp34k and the rest (and including IDNs).
Okay, I forgot, I need to be a bit more specific with my nomenclature. ;)
|For some sites (major brands) typosquatting is a serious problem, and requires a budget and technical team to match. |
I'm actually looking at it from the "underdog" perspective. I'm sure the major brands have their hands full, in fact, I know they do, it is quite obvious. Me thinks there are "other" strategies at play in certain industries where we see many here on a day to day basis claiming loss of traffic, their business has to close its doors, they are being forced to sell, etc. They used to enjoy the benefits of "bits and pieces of the pie" here and there but that isn't even a reality anymore.
|And so the sky has not fallen yet. |
Nah, I don't want this to turn into one of "those topics", I learned the first time with the DNS Recursion issues. Can you believe I still get Google Alerts about those? Yes, it is still an ongoing concern for some. ;)
|The way website security seems to work is to wait for the horse to bolt. |
lol, ain't that the truth! I'm guilty of it. Or, I used to be. My "chosen path" has changed a bit over the years. ;)
|Most sites don't get hacked, or are the victim of phishing. |
Hmmm, I think I can gather up a few hundred folks around here, at WebmasterWorld alone who will disagree with the above statement. Including one of my clients hosted elsewhere outside "my control". I know there are about 15,000+ here in this "one" search who will disagree with you...
|My last round of sql injection scanning didn't turn up too many surprises (although plenty of sites open to compromise). |
Well, that just happens to be one of the biggest culprits. And you don't think that is a "major" problem? I've had to go back and redo many apps that utilized the above "hole" and it was somewhat costly. And there are probably a few more on the list. That is a really nasty hole dude! And to take it lightly like that seems to be somewhat of an injustice to the severity of it, no? I know, they shouldn't have been there to begin with. Well, tell that to millions of website owners who have the flaw and don't know it yet! Yup, that is a very small percentage of the whole. But ya know, many of those end up here at WebmasterWorld I think.
Sure, you are protected because your level of knowledge most likely far exceeds many of us delving into this, kudos! I'm getting there. In the process, I find things that make me wonder. Further digging makes me wonder more and at some point I get concerned. I like to talk about this stuff and at the same time not cause any undue alarm but to bring awareness to the potential that "may be there". When is the last time you heard the term Homograph Spoofing mentioned around here? I referenced the only topic that really discusses it here at WebmasterWorld. ;)
|From where I'm sitting, typosquatting has no impact. I can fix it if there's a business case for it, and I sanitise my emails. |
Can we come join you? ;) Oh, I'm convinced typosquatting has a major impact given the implementation and intended goal. There is too much "big money" exchanging hands in that industry for me to say that its just typosquatting. Oh, it is in the true sense of the word. I let those guys do their thing. Not my forte but I do have a few myself. But I ain't doin' nuthin' fishy with em'! And I'll guess that many of them are not. But...
I really like discussing this with you guys/gals! Since I'm "down here", I may not fully understand the scope of the abyss. I'm only getting bits and pieces of it. But those bits and pieces are raising flags in some instances. I don't like it when stuff leads back to other TLDs and ccTLDs, I really don't. Especially when I'm searching for "specific references" and there is no reason for that reference to be "over there".
You really want to know what started this? Someone was kind enough to send me some information related to some potential flaws with the whole query (?) thing. My team and I were kidding about it and someone decided to do some testing. So, we ended up visiting a couple test sites and appending a few /?... using foreign language queries and we got to thinking... oh-oh...
|I need to be a bit more specific with my nomenclature |
Because my meaning for a word may not be the same as yours. Such words call for a more specific definition.
Sure, it's cosy over here ;)
Websites with a savvy technical team don't get hacked, unless they're a particularly lucrative target for one reason or another. How secure you need to be is a business case. Hackers need a 'business' case too or they won't bother following up vulnerabilities. Everyone meets somewhere in the middle.
|Hmmm, I think I can gather up a few hundred folks around here, at WebmasterWorld alone who will disagree with the above statement. |
I made a deliberately general statement, which I stand by: most sites don't get hacked. Plenty of sites do, but that's a separate issue. Can most sites be hacked? Yes. Will most sites be hacked? No. Cost of preventing hacking vs likelihood of being hacked.
Most sites could do with a latch and a bolt. Some need an electric fence.