My Social Engineering post mentioned the dangers of Phishing Attack and this article will describe one of the most lethal Phishing Attack Vector.
Phishing Attack from a Known Domain
Imagine you open facebook.com with a good looking green padlock followed by “secure” in your address bar and enter your credentials just to find out that you were being targeted by a Phishing Attack.
Although this attack vector surfaced in 2017 but even after Q1 2018 , this Phishing Attack is still by far the most lethal of known phishing attacks
This example demonstrates how an attacker can register their own domain that looks identical to another company’s domain in the browser. Wordfence made a Proof of Concept (PoC) on a healthcare site called ‘epic.com’ by registering their own fake site. Visit the Phishing domain in Chrome or Firefox and see the address bar for comparison you can visit the real epic.com. Notice the difference?
Real epic.com in Chrome:
Fake epic.com in Chrome:
Real epic.com in Firefox:
Fake epic.com in Firefox:
Both of these domains appear identical in the browser but they are completely different. The fake epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in some browsers as epic.com.
The real epic.com is a healthcare website. Using a unicode domain, Hackers could clone the real epic.com website, then start emailing people and try to get them to sign into a fake healthcare website which would hand over their login credentials to them. Hackers may then have full access to their healthcare records or other sensitive data.
WordFence managed to get an SSL certificate for this demonstration attack domain from LetsEncrypt. Which enabled the ‘Secure’ next to the fake domain in Chrome and the little green lock symbol in Firefox.
[PoC] How this Phishing Attack Works?
The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In simple words, this means that if we have a domain with Chinese or other foreign characters,one can register a domain with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.
In this PoC Demo ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters are used. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.
[How-to] Fix this in Firefox:
In your Firefox location bar, type about:config.
Do a search for ‘punycode’.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Now if you try to visit demo site you should see:
[How-To] Fix this in Chrome?
Badluck. Chrome have already released a fix in their ‘Canary’ release, which is their test release. This should be released to the general public within the next few days.
What should Chrome users do ?
Copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https://xn--….. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing.
Update: Chrome has fixed punnycode domains
Safari and Edge
Safari and Edge both browsers are safe from this attack vector.
Have you ever witnessed phishing attack targeting you or your organization ? what was it and how you countered it ?