ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies,...

16
FARSIGHT SECURITY Merike Kaeo (presenting) Research by: Mike Schiffman, Stephen Watt ICANN61 – Tech Day IDN Abuse

Transcript of ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies,...

Page 1: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

FARSIGHT SECURITY

M e r i k e K a e o ( p r e s e n t i n g )

R e s e a r c h b y : M i k e S c h i f f m a n , S t e p h e n W a t t

ICANN61 – Tech Day IDN Abuse

Page 2: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

Mo#va#on•  LotsofDataToPlayWith•  ShedLightonDomainAbuseviaIDNHomographs

•  IDNsallowforgeriestobenearlyundetectablebyeitherhumaneyesorhumanjudgment

•  Isitwellunderstoodbythewiderpublic?

•  HowBadIsTheProblem•  RegisteringInternetDNSnamesforthepurposeofmisleading

consumersisnotnews•  Wantedtodetermineprevalenceandreachofissue

Page 3: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

TerminologyTermstoknowwhendealingwithIDNs

•  Codepoint: AnumericalvaluerepresenHngaUnicodecharacteri.e.:U+03B1

•  Plane: AconHguoussetofcodepoints(17intotal;plane0,TheBasic Mul-lingualPlaneisthemostimportant)

•  Block: Logicalsubdivisionofaplane;“BasicLaHn”(ASCII0x-0x7f),orCJK UnifiedIdeographs

•  UTF-8: CommonschemeforvariablelengthencodingofUnicodecodepoints intosequencesof1–4bytes(U+0000–U+10FFFF);isbackwards compaHblewithASCII

•  SSIM: StructuredSimilarityIndex;afracHonalvaluerepresenHngthesimilarity betweentwoimagesthatcanrangefrom0.0(leastsimilar)to1.0 (idenHcal)

•  Homoglyph: OneoftwoormorecharacterswithshapesthatappearidenHcalor verysimilar(O”oh”and0“zero”)

•  Homograph: Sameasabove,butenHrewordsareconsidered

Page 4: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

Unicode

UniversalEncoding•  Unicodeisauniversalstandardforencodinglanguageglyphs•  Itprovidesauniquenumberforeverycharacter(thisisacodepoint)•  Latestversioncontains136,755characterscovering139modernand

historicscripts

ExampleUnicodecharactersF: U+0046 I: U+0049 ✪: U+272AA: U+0041 G: U+0047 ∰: U+2230

R: U+0052 H: U+0048 ॐ: U+0950S: U+0053 T: U+0054 ♥: U+2665

Page 5: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

5

Punycode

AlosslessmethodfordownsamplingUnicodeintoASCII•  'Takingdatathatrequireslargerencodingspaceandfihngitintoasmaller

presentaHonformat(“puny”)•  PunycodeisanencodingtoconvertUnicodecharactersintoASCII•  Technically,intoasubsetofASCIIknownasLDH(leiers,digits,hyphens)

ExampleUnicode-->Punycodeαβγδεζηθικλµνξοπρστυφχψω --> xn--mxacdefghijklmnopqr0btuvwxy

IDNsrepresentUnicodelabelsandmayappearassuchtotheenduser,butoverthewiretheyaresentencodedusingPunycode

Page 6: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

IDNHomographs•  Differentleiersorcharactersmightlookalike

•  Uppercase“I”andlowercase“l”•  Leier“O”andnumber“0”

•  CharactersfromdifferentalphabetsorscriptsmayappearindisHnguishableformoneanothertothehumaneye

•  Individuallytheyareknownashomoglyphs•  InthecontextofthewordsthatcontainthemtheyconsHtute

homographs

Page 7: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

7

IDNHomographA=acksAndthisiswhywecan’thavenicethings

•  BadactorsfiguredouttheycanregisterIDNsandtargetsitesusinghomoglyphs(orsomeHmeshomographs)

ExamplePunycodetorenderedUnicodeIDNs:xn--frsight-2fg.com --> fаrsight.comxn--80ak6aa92e.com --> аррӏе.com

AllCyrilliccharacters

Unicode0+0430

Page 8: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

ResearchDone•  Examined125topbranddomainnames

•  Largecontentproviders,socialnetworkingcompanies,financialwebsites,luxurybrands,cryptocurrencyexchanges,etc.

•  MonitoringIDNhomographsinreal-Hme•  From3monthobservaHonperiodobserved116,113

homographs•  2017-10-1723:41UTCto2018-01-1019:00UTC

Page 9: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

DisturbingFindings•  Indepthdetails:

•  hips://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/

•  ThelargenumberofhomographsseemsdisturbingandmayneedfurtherinvesHgaHons

•  NoassumpHonmadeofintentagainstdomainsordomainowners

•  However,didfindsomelivephishingsites•  Companieswerecontactedtoalertthemofsuspectedphishing

sites•  DemonstratesthatthreatofIDNhomographimpersonaHonisboth

realandacHvelybeingexploited

Page 10: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

SuspiciousIDNs

Page 11: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

SuspiciousIDNs

Page 12: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

SuspiciousIDNs

Page 13: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

SuspiciousIDNs

Page 14: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

SuspiciousIDNs

Page 15: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

GeneralObserva#ons•  WhileIDNrelatedabusedomainsareafracHonofthe

overallabusedomains,theydoexist•  Publicitysurroundingthiskindofabuseisgrowingwhich

willmoHvatepotenHallymoreabuse•  WhatisroleofIETF(whodecideswhatcharacterscanbe

usedinanIDN)vsroleofICANN(whodecidespolicy)?•  WouldcertainpolicyenforcementsmiHgatemostofthe

potenHallyharmfulIDNrelatedabusedomains?

Page 16: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs

QUESTIONS ?