More social engineering with Punycode

Domain internationalization seems to have brought more headaches than actual benefits.

Recently it was discovered one more way to trick users using Punycode. The technique per se is not new, as you can see in Wikipedia’s article about homograph attacks: it consists of displaying in the browser location bar an address as close as possible to the one it is intended to be spoofed (visually speaking). The addition is the SSL certificate. By using a valid certificate issued by a trusted company the user may perceive the website as secure without hesitation (look for the green lock pad). In terms of social engineering the browser induces the user in error by claiming the website is secure and that is the one intended to be visited.

Example of homography attack under Google Chrome
Example of homography attack under Google Chrome

In the picture, you can see the address is, apparently, the Apple website. However, it is a completely different domain. https://www.xn--80ak6aa92e.com is a proof-of-concept website that shows the attack in practice. The website has a valid certificate got from Let’s Encrypt, which is easily obtainable without too much hassle.

By using Firefox a more attentive user would however notice that something was not right. In the popup which is accessible by clicking the pad lock, we can actually see that the certificate domain name was not converted, showing its true format.

On Firefox you need to open the certificate window in order to check that the certificate domain name does not match the expected one
On Firefox you need to open the certificate window in order to check that the certificate domain name does not match the expected one

Meanwhile browsers are being updated to render this “trick” useless (at least I’m expecting the certificate will display the raw domain name instead of the internationalized version). However, I’m pretty sure this will not be the last episode of social engineering using Punycode.

Via ARSTechnica