icann61 – tech day idn abuse · • large content providers, social networking companies,...

FARSIGHT SECURITY

M e r i k e K a e o ( p r e s e n t i n g )

R e s e a r c h b y : M i k e S c h i f f m a n , S t e p h e n W a t t

ICANN61 – Tech Day IDN Abuse

Mo#va#on•  LotsofDataToPlayWith•  ShedLightonDomainAbuseviaIDNHomographs

•  IDNsallowforgeriestobenearlyundetectablebyeitherhumaneyesorhumanjudgment

•  Isitwellunderstoodbythewiderpublic?

•  HowBadIsTheProblem•  RegisteringInternetDNSnamesforthepurposeofmisleading

consumersisnotnews•  Wantedtodetermineprevalenceandreachofissue

TerminologyTermstoknowwhendealingwithIDNs

•  Codepoint: AnumericalvaluerepresenHngaUnicodecharacteri.e.:U+03B1

•  Plane: AconHguoussetofcodepoints(17intotal;plane0,TheBasic Mul-lingualPlaneisthemostimportant)

•  Block: Logicalsubdivisionofaplane;“BasicLaHn”(ASCII0x-0x7f),orCJK UnifiedIdeographs

•  UTF-8: CommonschemeforvariablelengthencodingofUnicodecodepoints intosequencesof1–4bytes(U+0000–U+10FFFF);isbackwards compaHblewithASCII

•  SSIM: StructuredSimilarityIndex;afracHonalvaluerepresenHngthesimilarity betweentwoimagesthatcanrangefrom0.0(leastsimilar)to1.0 (idenHcal)

•  Homoglyph: OneoftwoormorecharacterswithshapesthatappearidenHcalor verysimilar(O”oh”and0“zero”)

•  Homograph: Sameasabove,butenHrewordsareconsidered

Unicode

UniversalEncoding•  Unicodeisauniversalstandardforencodinglanguageglyphs•  Itprovidesauniquenumberforeverycharacter(thisisacodepoint)•  Latestversioncontains136,755characterscovering139modernand

historicscripts

ExampleUnicodecharactersF: U+0046 I: U+0049 ✪: U+272AA: U+0041 G: U+0047 ∰: U+2230

R: U+0052 H: U+0048 ॐ: U+0950S: U+0053 T: U+0054 ♥: U+2665

5

Punycode

AlosslessmethodfordownsamplingUnicodeintoASCII•  'Takingdatathatrequireslargerencodingspaceandfihngitintoasmaller

presentaHonformat(“puny”)•  PunycodeisanencodingtoconvertUnicodecharactersintoASCII•  Technically,intoasubsetofASCIIknownasLDH(leiers,digits,hyphens)

ExampleUnicode-->Punycodeαβγδεζηθικλµνξοπρστυφχψω --> xn--mxacdefghijklmnopqr0btuvwxy

IDNsrepresentUnicodelabelsandmayappearassuchtotheenduser,butoverthewiretheyaresentencodedusingPunycode

IDNHomographs•  Differentleiersorcharactersmightlookalike

•  Uppercase“I”andlowercase“l”•  Leier“O”andnumber“0”

•  CharactersfromdifferentalphabetsorscriptsmayappearindisHnguishableformoneanothertothehumaneye

•  Individuallytheyareknownashomoglyphs•  InthecontextofthewordsthatcontainthemtheyconsHtute

homographs

7

IDNHomographA=acksAndthisiswhywecan’thavenicethings

•  BadactorsfiguredouttheycanregisterIDNsandtargetsitesusinghomoglyphs(orsomeHmeshomographs)

ExamplePunycodetorenderedUnicodeIDNs:xn--frsight-2fg.com --> fаrsight.comxn--80ak6aa92e.com --> аррӏе.com

AllCyrilliccharacters

Unicode0+0430

ResearchDone•  Examined125topbranddomainnames

•  Largecontentproviders,socialnetworkingcompanies,financialwebsites,luxurybrands,cryptocurrencyexchanges,etc.

•  MonitoringIDNhomographsinreal-Hme•  From3monthobservaHonperiodobserved116,113

homographs•  2017-10-1723:41UTCto2018-01-1019:00UTC

DisturbingFindings•  Indepthdetails:

•  hips://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/

•  ThelargenumberofhomographsseemsdisturbingandmayneedfurtherinvesHgaHons

•  NoassumpHonmadeofintentagainstdomainsordomainowners

•  However,didfindsomelivephishingsites•  Companieswerecontactedtoalertthemofsuspectedphishing

sites•  DemonstratesthatthreatofIDNhomographimpersonaHonisboth

realandacHvelybeingexploited

SuspiciousIDNs

SuspiciousIDNs

SuspiciousIDNs

SuspiciousIDNs

SuspiciousIDNs

GeneralObserva#ons•  WhileIDNrelatedabusedomainsareafracHonofthe

overallabusedomains,theydoexist•  Publicitysurroundingthiskindofabuseisgrowingwhich

willmoHvatepotenHallymoreabuse•  WhatisroleofIETF(whodecideswhatcharacterscanbe

usedinanIDN)vsroleofICANN(whodecidespolicy)?•  WouldcertainpolicyenforcementsmiHgatemostofthe

potenHallyharmfulIDNrelatedabusedomains?

QUESTIONS ?