Soluble researchers new way to register domains with , which are superficially similar to other domains, but actually differ due to the presence of characters with a different meaning. Similar internationalized domains () may at first glance not differ from the domains of well-known companies and services, which allows them to be used for phishing, including obtaining correct TLS certificates for them.
Classic substitution through an outwardly similar IDN domain has long been blocked in browsers and registrars, due to the prohibition of mixing characters from different alphabets. For example, the fake domain apple.com ("xn--pple-43d.com") cannot be created by replacing the Latin "a" (U+0061) with the Cyrillic "a" (U+0430), since mixing letters in the domain from different alphabets is not allowed. In 2017 was a way to bypass such protection by using only unicode characters in the domain, without using the Latin alphabet (for example, using language characters with Latin-like characters).
Now another method of bypassing protection has been found, based on the fact that registrars block the mixing of Latin and Unicode, but if the Unicode characters specified in the domain belong to the group of Latin characters, such mixing is allowed, since the characters belong to the same alphabet. The problem is that the extension there are homoglyphs similar in spelling to other characters of the Latin alphabet:
symbol "" resembles "a", ""- "g", ""- "l".
The possibility of registering domains in which the Latin alphabet is mixed with the specified Unicode characters was identified at the Verisign registrar (other registrars were not checked), and subdomains were created in Amazon, Google, Wasabi and DigitalOcean services. The problem was found in November last year and, despite notifications sent, three months later, at the last moment, it was only fixed at Amazon and Verisign.
During the experiment, the researchers spent $400 to register the following domains with Verisign:
- amɑzon.com
- chɑse.com
- salesforce.com
- ɡmɑil.com
- ɑppɩe.com
- ebɑy.com
- static.com
- steɑmpowered.com
- theɡguardian.com
- theverɡe.com
- washingtonpost.com
- pɑypɑɩ.com
- wɑlmɑrt.com
- wɑsɑbisys.com
- yɑhoo.com
- cɩoudfɩare.com
- deɩɩ.com
- gmɑiɩ.com
- www.gooɡleapis.com
- huffinɡtonpost.com
- instaram.com
- microsoftonɩine.com
- ɑmɑzonɑws.com
- ɑdroid.com
- netfɩix.com
- nvidiɑ.com
- www.eog.com
The researchers also launched to check their domains for possible alternatives with homoglyphs, including checking already registered domains and TLS certificates with similar names. As for HTTPS certificates, 300 domains with homoglyphs were checked through the Certificate Transparency logs, of which certificate generation was recorded for 15.
Current Chrome and Firefox browsers display such domains in the address bar in the notation with the “xn--” prefix, however, in links, domains look without conversion, which can be used to insert malicious resources or links into pages, under the guise of downloading them from legitimate sites . For example, on one of the identified domains with homoglyphs, a malicious variant of the jQuery library was distributed.
Source: opennet.ru