Study Finds Top Sites Can Be Impersonated Using Non-Latin Alphabet

Homograph attacks using international characters to spoof well-known web domains were found targeting more than 100 top brands

Security researchers have spotted Internationalised Domain Names (IDNs) being actively used to mimic more than one hundred top brands, including Amazon, Apple, Microsoft and Facebook.

Farsight Security said its study shows the use of non-Latin alphabets to create authentic-looking domain names is far from theoretical.

IDNs, introduced in 2010, can be used to create malicious sites that are “pixel-perfect renditions of the brands they’re impersonating”, Farsight said.

The false URLs, called homographs, can be used as part of phishing attacks that attempt to trick users into entering their account logins.

Web impersonation

Such techniques are relatively low-tech, but have been used in high-profile hacks such as the infiltration of the Democratic National Convention’s email systems during the 2016 US presidential election campaign.

“We observed IDN homographs mimicking 125 top ‘phish-worthy’ domains including large content providers, social networking giants, financial websites, luxury brands, cryptocurrency exchanges, and other popular websites,” Farsight researcher Mike Schiffman wrote.

The brands were impersonated by 116,000 homographs, including ғасеьоок.com, written using cyrillic characters.

IDNs are transmitted at the back-end using Punycode, which represents the above domain as xn--80akppap2f62a.com. Browsers automatically translate the code into alphabets including Greek, Farsi and Chinese.

Farsight observed the Facebook counterfeit earlier this month, and found it included fake login fields. But the site’s SSL certificate had expired, making it look less authentic.

That wasn’t the case with “polonìex.com” (xn--polonex-3ya.com), a fake version of the website of Poloniex, a large cryptocurrency exchange, which featured a valid certificate.

Phishing protection

But the false Poloniex site misspelled the words “sign in” as “sing in” five times throughout the page.

“Otherwise, the site is a reasonably good facsimile of the real Poloniex website that could easily bilk a user after deceiving them into making a login attempt,” wrote Schiffman.

Other targeted companies included Apple, Adobe, Amazon, Bank of America, Cisco, Coinbase, Credit Suisse, eBay, Bittrex, Google, Microsoft, Netflix, New York Times, Twitter, Walmart, Yahoo, Wikipedia, YouTube and Yandex.

Farsight said users should be wary of unsolicited emails that request them to log into an account, and can protect themselves by using browsing protection tools and two-factor authentication.

Schiffman said any high-profile company that interacts with users is likely to be targeted, and that firms can head off criminals by registering IDNs that could be used in homograph attacks.

Would a rose by any other name smell just as sweet? Decide for yourself with our tech company name quiz!