ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies,...
Transcript of ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies,...
FARSIGHT SECURITY
M e r i k e K a e o ( p r e s e n t i n g )
R e s e a r c h b y : M i k e S c h i f f m a n , S t e p h e n W a t t
ICANN61 – Tech Day IDN Abuse
Mo#va#on• LotsofDataToPlayWith• ShedLightonDomainAbuseviaIDNHomographs
• IDNsallowforgeriestobenearlyundetectablebyeitherhumaneyesorhumanjudgment
• Isitwellunderstoodbythewiderpublic?
• HowBadIsTheProblem• RegisteringInternetDNSnamesforthepurposeofmisleading
consumersisnotnews• Wantedtodetermineprevalenceandreachofissue
TerminologyTermstoknowwhendealingwithIDNs
• Codepoint: AnumericalvaluerepresenHngaUnicodecharacteri.e.:U+03B1
• Plane: AconHguoussetofcodepoints(17intotal;plane0,TheBasic Mul-lingualPlaneisthemostimportant)
• Block: Logicalsubdivisionofaplane;“BasicLaHn”(ASCII0x-0x7f),orCJK UnifiedIdeographs
• UTF-8: CommonschemeforvariablelengthencodingofUnicodecodepoints intosequencesof1–4bytes(U+0000–U+10FFFF);isbackwards compaHblewithASCII
• SSIM: StructuredSimilarityIndex;afracHonalvaluerepresenHngthesimilarity betweentwoimagesthatcanrangefrom0.0(leastsimilar)to1.0 (idenHcal)
• Homoglyph: OneoftwoormorecharacterswithshapesthatappearidenHcalor verysimilar(O”oh”and0“zero”)
• Homograph: Sameasabove,butenHrewordsareconsidered
Unicode
UniversalEncoding• Unicodeisauniversalstandardforencodinglanguageglyphs• Itprovidesauniquenumberforeverycharacter(thisisacodepoint)• Latestversioncontains136,755characterscovering139modernand
historicscripts
ExampleUnicodecharactersF: U+0046 I: U+0049 ✪: U+272AA: U+0041 G: U+0047 ∰: U+2230
R: U+0052 H: U+0048 ॐ: U+0950S: U+0053 T: U+0054 ♥: U+2665
5
Punycode
AlosslessmethodfordownsamplingUnicodeintoASCII• 'Takingdatathatrequireslargerencodingspaceandfihngitintoasmaller
presentaHonformat(“puny”)• PunycodeisanencodingtoconvertUnicodecharactersintoASCII• Technically,intoasubsetofASCIIknownasLDH(leiers,digits,hyphens)
ExampleUnicode-->Punycodeαβγδεζηθικλµνξοπρστυφχψω --> xn--mxacdefghijklmnopqr0btuvwxy
IDNsrepresentUnicodelabelsandmayappearassuchtotheenduser,butoverthewiretheyaresentencodedusingPunycode
IDNHomographs• Differentleiersorcharactersmightlookalike
• Uppercase“I”andlowercase“l”• Leier“O”andnumber“0”
• CharactersfromdifferentalphabetsorscriptsmayappearindisHnguishableformoneanothertothehumaneye
• Individuallytheyareknownashomoglyphs• InthecontextofthewordsthatcontainthemtheyconsHtute
homographs
7
IDNHomographA=acksAndthisiswhywecan’thavenicethings
• BadactorsfiguredouttheycanregisterIDNsandtargetsitesusinghomoglyphs(orsomeHmeshomographs)
ExamplePunycodetorenderedUnicodeIDNs:xn--frsight-2fg.com --> fаrsight.comxn--80ak6aa92e.com --> аррӏе.com
AllCyrilliccharacters
Unicode0+0430
ResearchDone• Examined125topbranddomainnames
• Largecontentproviders,socialnetworkingcompanies,financialwebsites,luxurybrands,cryptocurrencyexchanges,etc.
• MonitoringIDNhomographsinreal-Hme• From3monthobservaHonperiodobserved116,113
homographs• 2017-10-1723:41UTCto2018-01-1019:00UTC
DisturbingFindings• Indepthdetails:
• hips://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/
• ThelargenumberofhomographsseemsdisturbingandmayneedfurtherinvesHgaHons
• NoassumpHonmadeofintentagainstdomainsordomainowners
• However,didfindsomelivephishingsites• Companieswerecontactedtoalertthemofsuspectedphishing
sites• DemonstratesthatthreatofIDNhomographimpersonaHonisboth
realandacHvelybeingexploited
SuspiciousIDNs
SuspiciousIDNs
SuspiciousIDNs
SuspiciousIDNs
SuspiciousIDNs
GeneralObserva#ons• WhileIDNrelatedabusedomainsareafracHonofthe
overallabusedomains,theydoexist• Publicitysurroundingthiskindofabuseisgrowingwhich
willmoHvatepotenHallymoreabuse• WhatisroleofIETF(whodecideswhatcharacterscanbe
usedinanIDN)vsroleofICANN(whodecidespolicy)?• WouldcertainpolicyenforcementsmiHgatemostofthe
potenHallyharmfulIDNrelatedabusedomains?
QUESTIONS ?