Soluble researchers
Classic substitution through an outwardly similar IDN domain has long been blocked in browsers and registrars, due to the prohibition of mixing characters from different alphabets. For example, the fake domain apple.com ("xn--pple-43d.com") cannot be created by replacing the Latin "a" (U+0061) with the Cyrillic "a" (U+0430), since mixing letters in the domain from different alphabets is not allowed. In 2017 was
Now another method of bypassing protection has been found, based on the fact that registrars block the mixing of Latin and Unicode, but if the Unicode characters specified in the domain belong to the group of Latin characters, such mixing is allowed, since the characters belong to the same alphabet. The problem is that the extension
symbol "
The possibility of registering domains in which the Latin alphabet is mixed with the specified Unicode characters was identified at the Verisign registrar (other registrars were not checked), and subdomains were created in Amazon, Google, Wasabi and DigitalOcean services. The problem was found in November last year and, despite notifications sent, three months later, at the last moment, it was only fixed at Amazon and Verisign.
During the experiment, the researchers spent $400 to register the following domains with Verisign:
- amɑzon.com
- chɑse.com
- salesforce.com
- ɡmɑil.com
- ɑppɩe.com
- ebɑy.com
- static.com
- steɑmpowered.com
- theɡguardian.com
- theverɡe.com
- washingtonpost.com
- pɑypɑɩ.com
- wɑlmɑrt.com
- wɑsɑbisys.com
- yɑhoo.com
- cɩoudfɩare.com
- deɩɩ.com
- gmɑiɩ.com
- www.gooɡleapis.com
- huffinɡtonpost.com
- instaram.com
- microsoftonɩine.com
- ɑmɑzonɑws.com
- ɑdroid.com
- netfɩix.com
- nvidiɑ.com
- www.eog.com
The researchers also launched
Current Chrome and Firefox browsers display such domains in the address bar in the notation with the “xn--” prefix, however, in links, domains look without conversion, which can be used to insert malicious resources or links into pages, under the guise of downloading them from legitimate sites . For example, on one of the identified domains with homoglyphs, a malicious variant of the jQuery library was distributed.
Source: opennet.ru