icann61 – tech day idn abuse · • large content providers, social networking companies,...
TRANSCRIPT
![Page 1: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/1.jpg)
FARSIGHT SECURITY
M e r i k e K a e o ( p r e s e n t i n g )
R e s e a r c h b y : M i k e S c h i f f m a n , S t e p h e n W a t t
ICANN61 – Tech Day IDN Abuse
![Page 2: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/2.jpg)
Mo#va#on• LotsofDataToPlayWith• ShedLightonDomainAbuseviaIDNHomographs
• IDNsallowforgeriestobenearlyundetectablebyeitherhumaneyesorhumanjudgment
• Isitwellunderstoodbythewiderpublic?
• HowBadIsTheProblem• RegisteringInternetDNSnamesforthepurposeofmisleading
consumersisnotnews• Wantedtodetermineprevalenceandreachofissue
![Page 3: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/3.jpg)
TerminologyTermstoknowwhendealingwithIDNs
• Codepoint: AnumericalvaluerepresenHngaUnicodecharacteri.e.:U+03B1
• Plane: AconHguoussetofcodepoints(17intotal;plane0,TheBasic Mul-lingualPlaneisthemostimportant)
• Block: Logicalsubdivisionofaplane;“BasicLaHn”(ASCII0x-0x7f),orCJK UnifiedIdeographs
• UTF-8: CommonschemeforvariablelengthencodingofUnicodecodepoints intosequencesof1–4bytes(U+0000–U+10FFFF);isbackwards compaHblewithASCII
• SSIM: StructuredSimilarityIndex;afracHonalvaluerepresenHngthesimilarity betweentwoimagesthatcanrangefrom0.0(leastsimilar)to1.0 (idenHcal)
• Homoglyph: OneoftwoormorecharacterswithshapesthatappearidenHcalor verysimilar(O”oh”and0“zero”)
• Homograph: Sameasabove,butenHrewordsareconsidered
![Page 4: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/4.jpg)
Unicode
UniversalEncoding• Unicodeisauniversalstandardforencodinglanguageglyphs• Itprovidesauniquenumberforeverycharacter(thisisacodepoint)• Latestversioncontains136,755characterscovering139modernand
historicscripts
ExampleUnicodecharactersF: U+0046 I: U+0049 ✪: U+272AA: U+0041 G: U+0047 ∰: U+2230
R: U+0052 H: U+0048 ॐ: U+0950S: U+0053 T: U+0054 ♥: U+2665
![Page 5: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/5.jpg)
5
Punycode
AlosslessmethodfordownsamplingUnicodeintoASCII• 'Takingdatathatrequireslargerencodingspaceandfihngitintoasmaller
presentaHonformat(“puny”)• PunycodeisanencodingtoconvertUnicodecharactersintoASCII• Technically,intoasubsetofASCIIknownasLDH(leiers,digits,hyphens)
ExampleUnicode-->Punycodeαβγδεζηθικλµνξοπρστυφχψω --> xn--mxacdefghijklmnopqr0btuvwxy
IDNsrepresentUnicodelabelsandmayappearassuchtotheenduser,butoverthewiretheyaresentencodedusingPunycode
![Page 6: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/6.jpg)
IDNHomographs• Differentleiersorcharactersmightlookalike
• Uppercase“I”andlowercase“l”• Leier“O”andnumber“0”
• CharactersfromdifferentalphabetsorscriptsmayappearindisHnguishableformoneanothertothehumaneye
• Individuallytheyareknownashomoglyphs• InthecontextofthewordsthatcontainthemtheyconsHtute
homographs
![Page 7: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/7.jpg)
7
IDNHomographA=acksAndthisiswhywecan’thavenicethings
• BadactorsfiguredouttheycanregisterIDNsandtargetsitesusinghomoglyphs(orsomeHmeshomographs)
ExamplePunycodetorenderedUnicodeIDNs:xn--frsight-2fg.com --> fаrsight.comxn--80ak6aa92e.com --> аррӏе.com
AllCyrilliccharacters
Unicode0+0430
![Page 8: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/8.jpg)
ResearchDone• Examined125topbranddomainnames
• Largecontentproviders,socialnetworkingcompanies,financialwebsites,luxurybrands,cryptocurrencyexchanges,etc.
• MonitoringIDNhomographsinreal-Hme• From3monthobservaHonperiodobserved116,113
homographs• 2017-10-1723:41UTCto2018-01-1019:00UTC
![Page 9: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/9.jpg)
DisturbingFindings• Indepthdetails:
• hips://www.farsightsecurity.com/2018/01/17/mschiffm-touched_by_an_idn/
• ThelargenumberofhomographsseemsdisturbingandmayneedfurtherinvesHgaHons
• NoassumpHonmadeofintentagainstdomainsordomainowners
• However,didfindsomelivephishingsites• Companieswerecontactedtoalertthemofsuspectedphishing
sites• DemonstratesthatthreatofIDNhomographimpersonaHonisboth
realandacHvelybeingexploited
![Page 10: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/10.jpg)
SuspiciousIDNs
![Page 11: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/11.jpg)
SuspiciousIDNs
![Page 12: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/12.jpg)
SuspiciousIDNs
![Page 13: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/13.jpg)
SuspiciousIDNs
![Page 14: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/14.jpg)
SuspiciousIDNs
![Page 15: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/15.jpg)
GeneralObserva#ons• WhileIDNrelatedabusedomainsareafracHonofthe
overallabusedomains,theydoexist• Publicitysurroundingthiskindofabuseisgrowingwhich
willmoHvatepotenHallymoreabuse• WhatisroleofIETF(whodecideswhatcharacterscanbe
usedinanIDN)vsroleofICANN(whodecidespolicy)?• WouldcertainpolicyenforcementsmiHgatemostofthe
potenHallyharmfulIDNrelatedabusedomains?
![Page 16: ICANN61 – Tech Day IDN Abuse · • Large content providers, social networking companies, financial websites, luxury brands, cryptocurrency exchanges, etc. • Monitoring IDN homographs](https://reader035.vdocuments.net/reader035/viewer/2022070806/5f0514487e708231d411283d/html5/thumbnails/16.jpg)
QUESTIONS ?