Written by: Joseph Sarkisian, GWAPT
As many organizations are now painfully aware, attackers are increasingly targeting the human element of their organizations in order to gain access. Given the increased security focus on hardening the network perimeter, the attacker’s return on investment of pounding away at the 10-foot-thick wall for weeks on end has dwindled and a well-placed phishing email has become a far more fruitful method.
According to the Verizon Data Breach Investigations Report (DBIR) of 2019, 33% of all breaches included social attacks, and the top attack vector was phishing. Between DBIR report years 2013 to 2018, social engineering attacks have more than doubled—from 17% in 2013 to 35% in 2018.
Attackers always seem to be ahead of phishing mitigation solutions, and the traditional methods of spotting a malicious email are no longer enough. While checking the URL that the link points to, double checking the spelling, formatting, and warning banners are all important; a particularly vicious kind of attack is extremely difficult to spot—using Punycode to obfuscate text.
Punycode to Unicode
At the 2019 DEF CON 27 security conference, Michael Wylie (@themikewylie) presented on this effective attack vector.
Punycode is essentially Unicode that can be used to translate non-English characters—think Greek, Arabic, etc.—to ASCII format. As an example, let’s say we wanted to create a malicious domain that masquerades as Apple’s website in order to steal passwords. While “apple.com” is obviously taken, what else could we do to trick people into falling for our attack? By registering a domain name that looks like Apple’s domain, but is written in Punycode!
Punycode Converter
It just so happens that there is a character in the Cyrillic alphabet that looks almost identical to a lowercase English “p”. By encoding this character with Punycode, we can use it right alongside English characters in our domain:
Figure 1- Using Punycode conversion tool to translate Cyrillic characters
Once we register our Apple doppelganger domain, here’s what we get in some browsers:
Figure 2 – Our resolved, Punycode-registered domain name
All but the most seasoned security veterans would be easily fooled by this malicious domain.
How can this kind of attack be prevented?
Some browsers, depending on version, will de-obfuscate the domain name—instead of the Cyrillic “p” characters, you would see the full Punycode in the domain, like in figure 1. Recent versions of Google Chrome, Internet Explorer, Apple Safari, and Microsoft Edge are good at translating these obfuscated characters into the full Punycode domain name; Mozilla’s Firefox browser is not as adept at handling these attacks.
Conclusion
The takeaway is to make sure you are using the most up-to-date versions of software, including browsers, in your environment in order to better protect yourself from this Punycode phishing. Some browsers have specific settings you can enable to spot these domains more easily—Firefox has an option to force the display of Punycode, but this is not enabled by default.
Employees should also be trained to look for these bizarre domain names before clicking on anything within an email, especially since this may be the only indicator of a problem in a particularly well-crafted phish.
