Next Generation Phishing ATTACKS!!

As the technology grows , hackers also find a new intresting ways to bypass the security controls in place using various tools and tricks. Here is a new interesting way of PHISHING ATTACKS. Phishing attacks have been there since ages if you dont know what is Phishng attack you can read it here.

As the traditional phising attacks gained popularity by these facebook, twitter and other social media accounts hijacking technique. But these attacks can be evaded easily just by glancing at the URL of the site. Now a security reasearcher Xudong Zheng discovered an attack that can overcome the evasion trick that the earler attack was missing!!

Let see how it works right: First you need to understand few things before we get started.

1.UNICODE & ASCII

So when i type things on my keyboard my computer doesnt interpret them into machine level charecters and then processed in the CPU. So how does my computer interpret when i type my name ” GAGAN JAIN” in ASCII charecters it would look like this “071 065 071 065 078 032 074 065 073 078” this is the exact binary sequence that will be processed for my or youre computer to understand my name. Now ASCII can save only 128 charecters maximum.

Most ASCII characters are printable characters of the alphabet such as abc, ABC, 123, ?&!, etc. “ASCII was meant for English only.”

later ASCII EXTENDED was developed which supported 255 charecters which invloved some french letter ‘é’.

NOW WHAT ABOUT OTHER LANGUAGES??

So Unicode came into existance: We would have needed an entirely new character set… that’s the rational behind Unicode. Unicode doesn’t contain every character from every language, but it sure contains a gigantic amount of characters HERE IS THE TABLE

2.PUNYCODE

Punycode is a way to represent Unicode within the limited character subset of ASCII used for Internet host names. For example, “München” (German name for the city of Munich) would be encoded as “Mnchen-3ya”. Using Punycode, host names containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphen (the Letter-Digit-Hyphen (LDH) subset, as it is called).

THAT MEANS WE CAN REGISTER A DOMIAN IN FOREIGN LANUAGE!!! Got my point?? Not yet?

Heres an Example: –

Convert Onlinesbi into japanese it looks like this – オンラインビ

now convert this into punycode it looks like this ‘ xn-- -ymcbs1e9bndcdpt ‘ so as an attacker i can register a new domian name like this xn-- -ymcbs1e9bndcdpt.com and trick the user as real website into entering his credentials!!

THIS ATTACK IS CALLED HOMOGRAPH ATTACK. As Xudong Zheng explains it :

“From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041).”

Though popular browsers like Google Chrome have implemented IDN policies. The homograph protection mechanism in Chrome, Firefox, and Opera unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters

You can See the DEMO PAGE here.

This vulnerability allows the attacker to trick the user with fake page with the Real URL with HTTPS!! This way you cant know the real identity of the site unless you go through SSL information. As you can see on the above explanation apple.com uses a Cyrillic ‘a’ rather than ASCII ‘a’ which is not distuinguised by the font used by chrome or firefox or opera, Thankfully SAFARI is not vulnerable to this attack. You can see the differenence using this script here.

The bug was reported to Chrome on Jan 20,2017 by Xudong Zhen and was fixed on Chrome58 update. But the bug still exist in Firefox and opera.

FIX:

Chrome users: UPDATE TO LATEST BROWSER VERSION

Firefox Users:

OPEN FIREFOX --> ENTER URL about:config --> network.IDN_show_punycode --> true

References:

1.http://www.xudongz.com/blog/2017/idn-phishing/

2.http://www.crypto-it.net/eng/attacks/homograph-attack.html