- Type of attack: Variation of a homograph attack that allows phishers to spoof legitimate websites to steal credentials and infect victims with malware
- Attack vector: Email
- Who is vulnerable: Firefox users, Opera users, and Chrome users who haven't updated to version 58.0.3029.81.
A new take on an established attack method is making Firefox, Opera, and un-patched Chrome users vulnerable to credential theft and malware.
Discovered by security researcher Xudong Zheng, the homograph attack allows criminals to create undetectable fake versions of legitimate domains by exploiting the way browsers handle Unicode characters. With no indication that the site they're about to visit is fraudulant based on the URL, victims can be easily tricked into providing their log-in credentials or infected with malware via drive-by-downloads.
That unfortunately makes best practices like hovering over a link before clicking on it ineffective, and leaves users with no way of determining they're heading into a trap.
How the exploit works
The exploit is made possible thanks to Punycode, an encoding procedure that was developed so International Domain Names could be registered by using ASCII characters to represent Unicode characters — characters outside of the Latin alphabet (A-Z).
For example, the characters 苹果 are represented in Punycode as xn--gtvz22d.
To understand how attackers can use Punycode to their advantage, consider this question — when is "apple.com" not really apple.com?
One answer is when the domain is actually spelled out using letters from the Greek alphabet (alpha, rho, rho, iota, epsilon). The initial result may look a little off — αρριε.com — but by converting the text into Punycode, the Greek Unicode characters are rendered as similiar looking ASCII characters (Latin letters).
Hence, in vulnerable browsers, the Punycode "xn--mxail5aa.com" will actually appear as "apple.com".
As a proof of concept, Zheng created his own "apple.com" demo page by using Cyrillic characters converted into Punycode. You can see how convincing the results are in the screenshot below or by hovering over this link.
If the URL that appears is "xn--80ak6aa92e.com" then you're safe — the exploit doesn't work with the browser you're using. If it appears as "apple.com," however, that means the browser you're using is still vulnerable.
Spoofed apple.com domain created by security researcher Xudong Zheng, viewed in Firefox
You'll notice Zheng was even able to get an SSL certificate for the fake domain, an additional convincing touch that provides the extra reassurance of the green "secure" lock next to the URL.
If he had gone to the trouble of replicating Apple's current homepage design there would be very little to tip a user off that the site was fake. From there, all it would take would be a campaign of phishing emails alerting Apple users that they need to reset their passwords...
As of April 20, 2017, the following browsers remain vulnerable to this exploit:
- Versions of Chrome prior to the updated version 58.0.3029.81 released on April 19, 2017
At this time, Internet Explorer, Safari, and Microsoft Edge do not appear to be affected.
How users can protect themselves
It's easy to imagine attackers scrambling to put this exploit to good use. Browser makers have been notified and are at work on updates (Google has already provided one for Chrome), but in the meantime, here are a few steps you and others at your company can take to reduce your risk.
- Update your browser
Make sure the version of Chrome you're using is the latest version (58.0.3029.81 or higher).
- Change your browser settings
Reconfigure Firefox to display Punycode domain names by going to the about:config page and setting network.IDN_show_punycode to true.
- Use a password manager to protect against credential theft
These programs won't be fooled by fake domains and will only plug in log-in credentials for the actual domains they are linked to.
- Deploy runtime malware defense to protect against drive-by-download infections
In addition to attempting to collect user log-in credentials, criminals can also add malicious code to fake websites designed to infect visitors with ransomware and other malware.
These attacks will often take advantage of vulnerabilities in the visitor's browser, software, or operating system to stream malicious code directly into the registry or even legitimate system processes. Because no executable file is invovled, that allows attackers to avoid detection from antivirus and next-generation antivirus solutions.
Runtime malware defense spots these attacks by observing the early signs of malicious system activity, and blocking it before any damage is done.
Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.
To see RMD in action, check out our post, "Stopping Cerber Ransomware During Runtime".