A few days ago the Soluble researchers released their new discovery de a new way to register domains with homoglyphs that look like other domains, but actually differ due to the presence of characters with a different meaning.
Said internationalized domains (IDN) may at first glance not differ from known company and service domains, allowing you to use them for spoofing, including receiving the correct TLS certificates for them.
Successful registration of these domains looks like the correct domains and well known, and are used to carry out social engineering attacks on organizations.
Matt Hamilton, a researcher at Soluble, identified that it is possible to register multiple domains generic top-level (gTLD) using the Unicode Latin IPA extension character (such as ɑ and ɩ), and was also able to register the following domains.
Classic substitution via an apparently similar IDN domain has long been blocked in browsers and registrars, due to the prohibition of mixing characters from different alphabets. For example, the fake domain apple.com ("xn--pple-43d.com") cannot be created by replacing the Latin "a" (U + 0061) with the Cyrillic "a" (U + 0430), since Mixing mastery of letters from different alphabets is not allowed.
In 2017, a way to circumvent such protection was discovered by using only unicode characters in the domain, without using the Latin alphabet (for example, using language characters with Latin-like characters).
Now another method of circumvention of protection has been found, based on the fact that registrars block the mix of Latin and Unicode, but if the Unicode characters specified in the domain belong to a group of Latin characters, such mixing is allowed, since the characters belong to the same alphabet.
The problem is that the Unicode Latin IPA extension contains homoglyphs similar in spelling to other Latin characters: the symbol "ɑ" resembles "a", "ɡ" - "g", "ɩ" - "l".
The possibility of registering domains in which Latin is mixed with the indicated Unicode characters was identified with the Verisign registrar (no other registrars were verified), and subdomains were created in the Amazon, Google, Wasabi and DigitalOcean services.
Although the investigation was only conducted on Verisign-managed gTLDs, the problem it was not taken into account by the giants of the network and despite the notifications sent, three months later, at the last minute, it was fixed only at Amazon and Verisign as only they in particular took the problem very seriously.
Hamilton kept his report private until Verisign, the company that manages domain registrations for prominent top-level domain extensions (gTLDs) like .com and .net, fixed the problem.
The researchers also launched an online service to verify their domains. looking for possible alternatives with homoglyphs, including verification of already registered domains and TLS certificates with similar names.
Regarding HTTPS certificates, 300 domains with homoglyphs were verified through the Certificate Transparency records, of which 15 were registered in the generation of certificates.
Real Chrome and Firefox browsers show similar domains in the address bar in the notation with the prefix "xn--", however the domains are seen without conversion in the links, which can be used to insert malicious resources or links in pages, under the pretext of downloading them from legitimate sites.
For example, in one of the domains identified with homoglyphs, the spread of a malicious version of the jQuery library was recorded.
During the experiment, researchers spent $ 400 and registered the following domains with Verisign:
- amɑzon.com
- chɑse.com
- salesforce.com
- ɡmɑil.com
- ɑppɩe.com
- ebɑy.com
- static.com
- steɑmpowered.com
- theɡguardian.com
- theverɡe.com
- washingtonpost.com
- pɑypɑɩ.com
- wɑlmɑrt.com
- wɑsɑbisys.com
- yɑhoo.com
- cɩoudfɩare.com
- deɩɩ.com
- gmɑiɩ.com
- www.gooɡleapis.com
- huffinɡtonpost.com
- instaram.com
- microsoftonɩine.com
- ɑmɑzonɑws.com
- ɑdroid.com
- netfɩix.com
- nvidiɑ.com
- www.eog.com
Si you want to know more details about it about this discovery, you can consult the following link.