Security

That apple.com link you clicked on? Yeah, it's actually Russian

Didn't we fix this back in 2005? Apparently not


Click this link (don't fret, nothing malicious). Chances are your browser displays "apple.com" in the address bar. What about this one? Goes to "epic.com," right?

Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.

In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We're told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.

This domain disguising, which tricks people into visiting a site they think is legit but really isn't, is called a "homograph attack" – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address "paypal.com."

So what is this, how does it work, and why does it still exist?

Well, thanks to the origins of the internet in the United States, the global network's addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.

The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.

And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became "Punycode."

There may be trouble ahead...

The trouble – which was first noted way back in 2001 – is that some letters in other languages like Cyrillic are different but look almost identical. You can get identical-looking versions of "a", "B", "c", "i", "l", "O" and "p," among others.

So by combining the codes for these other letters with non-coded letters you can appear to spell out a word like "apple," therefore tricking people into visiting a different website from the one they think they are visiting.

Needless to say, the organization in charge of overseeing the domain name system, US-based ICANN, took this seriously and put out a warning back in 2005 on what it termed "homograph attacks." The world's DNS overseer stated:

ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs [internationalized domain names] become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.

And so it turned to its community of internet engineers and policy makers and opened a formal comment forum to come up with "countermeasures" and "improve public protection from abusive use of domain names."

That was 12 years ago. What's happened since?

Not much, it seems. The comment forum that ICANN opened received just three comments and was archived in 2006. Statements put out by internet organizations including CENTR and APTLD have long since been lost thanks to broken hyperlinks.

I can't hear you

The internet community appears to have just wished the problem away. Unfortunately, it was still there. So five years later, in 2010, and then again in 2011, it reappeared.

This time spammers had started using the technique to get people to click on their links by providing what looked like legitimate domain names. The one that caught everyone's attention was a Cyrillic version of "paypal.com" that was really "raural.com," but looked the same.

The problem had grown because of ICANN's own expansion of the IDN space. The organization was under significant pressure from governments around the world who were very unhappy with the speed of progress at the US-based and American-dominated organization in adding their languages to the internet's infrastructure.

For its own self-preservation, ICANN approved a "fast track" of new IDNs, but the issue of homograph attacks appears to have been left untouched. ICANN is in a position to develop new policies that would then likely be adopted by other organizations that make up the internet eco-system – but it appears to have chosen not to bother.

Browser manufacturers have been similarly lazy:

However, even though some browsers responded back in 2010 by turning off IDNs as a default, it appears that at some point a browser update has set the default back to on.

Policy?

In terms of actual policy changes, the last activity we saw was a group working on "universal acceptance" at a domain name conference back in 2015 that would enable all internationalized domains to work across the internet.

That group was being given informal support from ICANN, as well as Google, but has made limited progress thanks to a lack of resources. Part of that group's work was to figure out how to minimize the impact of phishing through IDNs.

As to what you can do to mitigate being tricked by their coding issue: the best solution, unfortunately, is to simply turn off support for IDNs in your browser.

ICANN's webpage on the topic hasn't been updated since September 2015. We prodded ICANN for any information on current efforts to tackle homograph attacks. A spokesperson told The Reg:

ICANN is as concerned as ever about malicious use of the DNS via phishing. We have not changed our rules for what contracted TLDs are allowed to delegate in their zones. The recently described attacks are no different than the ones ICANN has been looking at since the addition of IDNs in 2003.

In the meantime, ICANN is coming toward the end of another lengthy policy process that would allow or block the use of country codes – like "us" for the United States or "de" for Germany – in the hundreds of new top-level domains that ICANN has approved in the past few years. These have contributed hundreds of millions of dollars to the small Los Angeles-based organization.

It should be noted however that the policy only covers ASCII text – ie, the English keyboard. Fifteen years on from the first warning of homograph attacks using non-English characters, it seems that some priorities never change. ®

PS: To fix the issue with Chrome, wait for Chrome 58 to arrive around April 25 and install it. On Firefox, go to about:config and set network.IDN_show_punycode to true.

Send us news
72 Comments
Get our Security newsletter

Keep Reading

Your anti-phishing test emails may be too easy to spot. NIST has a training tool for that

Phish Scale hopes to make life easier for blue teams gazing at click rates

Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

Attack came in waves that probed for staff with access to the creds crims craved

Phishing awareness gone wrong: Facebook tries to seize websites set up for staff security training

Antisocial network sued by Proofpoint in scrap over domain names

Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5

A very busy six months for Redmond's Digital Crimes Unit

Cybercrooks tend to prefer Google-branded phishing to Microsoft-flavoured lures

So says Barracuda Networks, anyway

If you want to hijack widely used JavaScript packages, try phishing for devs through these DMARC-shaped holes in key Node.js domains

npmjs.com, nodejs.org open to spoofing, we're warned

Sodinokibi/REvil ransomware gang pwns British housing biz via suspected phishing attack

Same people who killed Travelex and revenge-published personal data when ignored. Nice folk

To test its security mid-pandemic, GitLab tried phishing its own work-from-home staff. 1 in 5 fell for it

Welp, at least that's better than industry averages, says code-hosting biz

You have to be very on-trend as a cybercrook – hence why coronavirus-themed phishing is this year's must-have look

F-Secure gives its take on the first half of 2020 in internet scumminess

Google: We've blocked 126 million COVID-19 phishing scams in the past week

240 million daily virus themed spams as 'bad actors' feed on people's fear

Tech Resources

8 Biggest Mistakes IT Practitioners Make And How To Avoid Them

This guide outlines the 8 biggest mistakes IT practitioners make and provides solutions

Rethink What’s Possible

Computer vision and image processing algorithms are increasingly common to commercial and research-related applications. These high resolution models perform complex computations to process image data in real-time and require rapid processing to yield analysis and results.

Four Key Tips From Incident Response Experts

While nothing can fully alleviate the stress of dealing with an attack, knowing what to do in advance will help you defend your organization.

The Role of Machine Learning and Automation in Storage

There has been lots of hype around the increasing role that machine learning, and artificial intelligence more broadly, will play in how we automate the management of IT systems.