Note:
This is a republished and translated blog post originally written in German and published by me on April 25, 2017. I originally published this piece on a German company website of which I was a co-owner. Since neither the company nor the website exists anymore, I have republished this piece on my personal blog.
The Forgery of Websites: A Lucrative Business for Attackers
Forging websites is a lucrative business for attackers. If they succeed in convincing a visitor of the legitimacy of such a site, they can also entice visitors to disclose sensitive information, such as login credentials.
How Some Attackers Operate
A "simple" way to forge a website is to register a web address that is almost identical to that of the site being forged. The attacker can then design their fake website to visually resemble the original.
For example, if an attacker wants to forge the website of the German banking group Sparkasse "sparkasse.de," they could register the web address "sparkase.de" and copy the design of "sparkasse.de." The attacker might then wait for Sparkasse customers to mistype the address and land on their page. If these customers do not notice the error and enter their online banking credentials there, the attacker can save the entered credentials and gain full access to the visitor's account.
There are many variations of this approach, but most share the same disadvantage: a vigilant and cautious visitor can easily recognize the forgery.
Hard-to-Detect Forgeries
However, there is a variant of this approach that exploits functionalities of web browsers like Google Chrome or Firefox, which can easily mislead even tech-savvy or security-conscious individuals. This variant relies on the fact that some languages have similar but not identical letters. For instance, the Latin lowercase letter "a" looks almost identical to the Cyrillic letter "а." This is already difficult to discern with the naked eye, but it is further complicated by the fact that some major web browsers use a font that displays both letters identically.
This allows attackers to register a web address that appears to visitors as the official web address "apple.com" of Apple. If the design of both websites is identical, even the most experienced visitors may struggle to determine which one is the official web address.
Attacks based on similarly looking letters from different languages have been known for many years as "IDN homograph attacks" or "homoglyph attack."[1] Recently, a public example[2] was presented in which web developer Xudong Zheng registered a web address that looks exactly like the official web address "apple.com"[3] in Google Chrome and Firefox.
The Technical Background of IDN homograph attacks
When the foundations of the internet were laid, the systems were only designed to work with Latin letters or punctuation and some special characters based on the ASCII[4] character encoding. Or even just a subset of that, such as the Domain Name System (DNS), which resolves web addresses to IP addresses. With the introduction of internationalized web addresses (like "münchen.de") based on the international standard Unicode[5], a way had to be found to represent internationalized web addresses in existing systems.
This led to the standardization of the encoding method "Punycode."[6] In this method, characters that cannot be represented by the 26 Latin letters, the Arabic digits 0-9, or a hyphen are replaced by a special character string. For example, "München" is encoded as the string "Mnchen-3ya" using Punycode. To allow systems to recognize whether a string is Punycode-encoded, such strings are prefixed with "xn--." Thus, the web address "xn--mnchen-3ya.de" is the technical representation of the web address "münchen.de." Both variants lead to the web address "muenchen.de."
Both Variants? Yes. The web address "münchen.de" can also be entered in the web browser. In the background, the web browser then converts this address into the technical representation. Web browsers even support automatic conversion in both directions. That is, if the web address "xn--mnchen-3ya.de" is entered, some web browsers will instead display "münchen.de."
And it is precisely this behavior of some web browsers that allows identically looking web addresses to be registered. Xudong Zheng demonstrated this with the web address "https://www.xn--80ak6aa92e.com," which is displayed as "https://www.apple.com" in Google Chrome up to version 58 and in the current version of Firefox. Since version 58 of Google Chrome, the aforementioned technical representation is no longer automatically converted[7]. In version 59, further changes are planned to make such attacks more difficult[8].
In contrast, the situation with Firefox is currently more complicated. The lead developers do not want to change the behavior of the web browser for the time being[9][10].
Most Windows users who use Internet Explorer or Microsoft Edge are not affected by this attack. These browsers only convert the technical representation if the corresponding language (e.g., Russian) is installed.
How Can Users of Affected Web Browsers Protect Themselves?
For most users, it is difficult to protect themselves against such attacks. The simplest way is to never click on links in unexpected emails and to enter the web address into Google Search to indirectly access the desired website. Google's search is smart enough to recognize common typos. It also makes it harder for fake websites to achieve a prominent position in the search results.
Another option is to copy web addresses into a text editor (e.g., Notepad) beforehand and check if any letters look unusual. However, this approach should only be chosen if one has experience with different fonts and can assess when characters might look "unusual."
Technically savvy users also have the option to check the SSL or TLS certificates of a website to verify its authenticity. These certificates provide information about which organization—a so-called Certificate Authority (CA)—issued the certificates for the website. TLS (and its predecessor SSL) is a protocol for encrypting communication between the web browser and the server. Most people know this as "HTTPS" or by the term "Secure" in the address bar of the web browser. However, it is important to note that the mere presence of such a certificate does not prove the legitimacy of a website.
If you—or someone you know—are unsure whether a web address is a forgery or not, feel free to send the web address to me, and I will check it for you free of charge.
Stay safe on the internet, and happy coding!
fn1. "IDN homograph attack": https://en.wikipedia.org/wiki/IDN_homograph_attack
fn2. "Chrome, Firefox, and Opera users beware: This isn’t the apple.com you want": https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want
fn3. "Phishing with Unicode Domains": https://www.xudongz.com/blog/2017/idn-phishing
fn4. "ASCII": https://en.wikipedia.org/wiki/ASCII
fn5. "Unicode": https://en.wikipedia.org/wiki/Unicode
fn6. "[RFC3492] Punycode": https://tools.ietf.org/html/rfc3492
fn7. "IDN in Google Chrome": https://www.chromium.org/developers/design-documents/idn-in-google-chrome
fn8. "Google Chrome: Bug 683314":https://bugs.chromium.org/p/chromium/issues/detail?id=683314
fn9. "Firefox: Bug 1332714": https://bugzilla.mozilla.org/show_bug.cgi?id=1332714
fn10. "Firefox: IDN Display Algorithm": https://wiki.mozilla.org/IDN_Display_Algorithm
