Thanks to a bug at some of the internet’s largest domain registrars, bad actors were able to register malicious domains until just late last month.
Hover over it, give it a click. You’ll find that it actually directs you to . Why? Look closely and you’ll notice that the second “a” and the “o” aren’t actually the letters “a” and “o” from the Latin alphabet, which is what’s used in the English language.
It’s not supposed to be possible to register these domain names due to the malicious attacks they could be used for. Many web browsers change the characters in the URL from Unicode to Punycode, as seen in the earlier example, for that very reason.
According to Hamilton’s , he was able to register dozens of names using Latin homoglyphs, basically a character that looks like another character. Verisign, Google, Amazon, DigitalOcean, and Wasabi were among the affected companies allowing the registration of these names.
“Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates,” writes Hamilton. “This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity.”
Hamilton held his report for publication until Verisign, the company that runs the domain registries for prominent general top level domain (gTLD) extensions like .com and .net, fixed the issue. The research was only conducted on gTLDs run by Verisign. He states that among all the vendors he contacted, Amazon and Verisign in particular took the issue very seriously.
In the Cyrillic alphabet specifically, there are a number of letters that look nearly identical to letters in the Latin alphabet. For example, here’s the character for “a” in Latin. Here’s the character for “ɑ” in Cyrillic.
Combining these homoglyph characters with the Latin alphabet in a domain name could create a URL that looks very much like one that’s already registered by another company, such as fake Amazon domain mentioned earlier.
Hackers could use these domain names to create phishing websites that look like legitimate sites for services like Gmail or PayPal. The attack could steal a users website password or credit card information using this information.
Hamilton was able to register the following domain names thanks to this bug:
In total, he spent $400 to register the domain names that could be used to scam people out of much, much more.
Internationalized domain names, or IDNs, have become popular in recent years. These domains allow users around the world to register names using their native language, such as Greek or Japanese, where you may find non-Latin characters.
However, malicious actors quickly discovered ways to use IDNs for attacks.
As points out, the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that manages the web’s domain name system, has IDN guidelines state that domain registrars should not allow domains be registered using a combination of different alphabets for this very reason.
Originally posted: Source link