IDN attacks are a common threat on today’s Internet. IDN stands for Internationalized Domain Name. It refers to domain names that contain one or multiple characters in “non-Latin script or alphabet, or in the Latin alphabet-based characters with diacritics or ligatures”.
This enables support for domain names in all languages. German-speaking organizations and users may for instance use the letter Ö in domain names.
One problem associated with this is that it is sometimes impossible for users to distinguish between different characters. The Latin letters e and a, for instance, look identical to the Cyrillic letters e and a. The strings ghacks and ghаcks are not identical, for example, even though they are not distinguishable from just looking at them.
IDN homograph attacks
IDN homograph attacks take advantage of this. Threat actors create domain names that look like a legitimate domain. Links are then pushed via online advertising, comments, chats, email or other forms of communication.
Ars Technica published a story just yesterday about an online ad on Google Search that impersonated the official KeePass website. A search for KeePass listed a sponsored result at the top. This sponsored result pointed to the same domain as the legitimate KeePass website, at least on visual inspection.
It is not uncommon for organizations to place ads for key search terms, even if their domain is the first organic result.
In this particular case, it turned out that the sponsored ad was malicious. It used an IDN to look like the official KeePass website. The fake site pushed a malware family known as FakeBat according to Ars Technica’s research.
Protection against IDN attacks
Ars Technica writer Dan Goodin concluded that there is no 100% protection against IDN attacks. All major browsers load IDN URLs without issues.
Chromium-based browsers copy the punycode version of the domain, which offers a quick way to find out if it is an IDN.
Raymond Hill, creator of uBlock Origin, disagreed with Goodin’s conclusion as well. He published a single filter line for use in uBlock Origin, which blocks access to all IDN URLs by default. Users still have the option to proceed and to add an exception for the site, if it is legitimate.
Here is a step-by-step guide to add the filter to uBlock Origin:
- Open the web browser.
- Activate the uBlock Origin icon and select Settings.
- Switch to the My Filters tab.
- Paste the following string into an empy line: ||xn--$doc,frame
- Select Apply changes.
That’s all there is to it. Any attempt to load an IDN in the browser is now met with uBlock Origin’s “blocked” window.
Punnycode, IDN … I had that out of my mind for quite some time now.
This uBO filter is welcomed of course, most welcomed notably regarding the article.
Thank you Martin! Great tip.