Update 25/08/09: Safari’s recent update doesn’t blatantly ignore IDN’s anymore. Progress.
With the recent spate of IDN (Internationalised Domain Names) being bought that utilise the unicode character set I wanted to bring back the issue of homophone spoofing / phishing with these domains.
It is still possible to spoof domains using unicode character sets.
Domain registrars have not done enough to prevent similar looking domains from being purchased, this is something that can be vastly improved with little effort.
Apple’s Safari browser has not taken on board the same precautions that other browsers including Mozilla Firefox and even Internet Explorer have to warn the end user that they are not using a standard domain.
I have tested the following proof-of-concept on a number of people including some technically orientated peers, not one was even aware of this kind of spoofing attack. This post is intended to spread awareness of the technique.
Domain purchased: http://ebɑy.com/ (click to visit proof-of-concept site)
Domain cost: $7.00
The domain above has the Latin unicode character ‘ɑ’ that closely resembles a standard ‘a’.
Comparison of domains side-by-side.
The spoof site currently displays a warning message and pulls down a live copy of the requested e-bay page to demonstrate it’s viability for a phishing attack (limited to just the home page).
Spoof site alongside the real site. Click to enlarge.
It is easily possible to spoof content for each and every E-Bay page and save users login data (due to most people reusing the same password there is a high chance their E-Bay password will be the same as their e-mail, Paypal, Twitter accounts etc).
It should be noted this spoof has nothing to do with E-Bay. This is purely an example of the technique that can be applied to almost any domain.
International Domain Name spoofing is scary shit! Check the demo in Safari! http://bit.ly/BtBS1 HT: @thomasknoll
This comment was originally posted on Twitter
Be careful on the web, things may not be what they seem @thinkgareth talks spoofing http://bit.ly/BtBS1 (via: @thomasknoll )
This comment was originally posted on Twitter
did not see this coming… RT: @jpdeffillippo @thomasknoll International Domain Name spoofing is scary shit! http://bit.ly/BtBS1
This comment was originally posted on Twitter
Be careful on the web, things may not be what they seem @thinkgareth talks spoofing http://bit.ly/BtBS1 (via:@MegCanadal)
This comment was originally posted on Twitter
Wow, thanks for raising awareness on this! I’ll be sure to remain vigilant
Hi, good post. I have been wondering about this issue,so thanks for posting. I’ll definitely be coming back to your site.
Hi, very nice post. I have been wonder’n bout this issue,so thanks for posting
Hi, interest post. I’ll write you later about few questions!
I think I will try to recommend this post to my friends and family, cuz it’s really helpful.
Some of us even don’t realize the importance of this information. What a pity.
Cheers! More to come soon – Many thanks for your support
Hello, like this blog very much. I found it on bing will add it to bookmark and come back often again to read and follow. Please continue to do awesome job you do on it.