2. 2
1. Introduction
“The weakest ring of the chain in cyber security is human.”
Internationalized Domain Name (IDN) allows people around the world to use domain names
in local languages using local letters in the alphabet. IDNs consist of different languages
components such as Arabic, Chinese, or Cyrillic, briefly, it is a spoofing method for a domain
name. IDNs are encoded by the Unicode standard and are additionally used as allowed by
the corresponding IDN protocols.
2. IDN Homograph Attack
In some cases, using simple fraud methods, and considering the victim perception for social
engineering, the attacker prefers to use similar letters or numbers in alphabets in domain
addresses. For instance:
Figure 1
As it can be seen from Figure 1, the attacker has preferred to use "0" number instead of "o"
letter.
A more realistic example is that in an IDN homograph attack, for social engineering methods,
an attacker can form one or more fake domain addresses using at least one similar character
from a different dildo. Hypothetically, Omicron (U + 03BF), a lowercase letter in Greek, and
"o" (U + 006F), a Latin lowercase letter, are very similar and difficult to discern.
Figure 2
As it can be seen from Figure 2, obviously, both characters are similar.
3. 3
Figure 3
Figure 3 demonstrates the difference between two URLs.
Figure 4
Figure 3 demonstrates the fake IDN homograph attack via WhatsApp and unfortunately, the
demonstration of the domain name is cleartext, not Punycode, still many apps supports IDN
characters and it is a good way for social engineering especially using mobile devices.
For instance, let's think about we have a bank and the main domain of the bank is
www.aslanbank.com. Utilizing IDN Characters (https://www.unicode.org/reports/tr36/idn-
chars.html), it is possible to form similar domain addresses. I prefer to use the first letter of
the Greek, Alpha, α instead of a and then form the new domain of www.αslanbank.com.
Figure 5
4. 4
In normally, due to the Alpha, the domain is converted into www.xn--slanbank-d9f.com and
Figure 4 demonstrates it. It is the perfect method for phishing and the other social
engineering methods.
An interesting point is that considering popular social media platforms, apps, the biggest
banks, it is possible to buy many IDN's when I check their domain names utilizing IDN
characters. The domain prices are really cheap and for attackers, it, undoubtedly, is a better
way for phishing to achieve high phishing rates.
3. Real Case Instances
Figure 6
As it can be seen in Figure 6, the "l" is converted into "ı" for apple.com.
Figure 7
Figure 7 shows the websites of the big companies' IDN conversion.
5. 5
4. Conclusion
Browsers such as Google Chrome tries to protect individuals from IDN homograph attack
using some policies. Therefore, it is an important element to use the updated browsers or to
set options.
In the below URLs, there is more detail info about the Chrome and Mozilla IDN Display
Algorithm and policies.
https://wiki.mozilla.org/IDN_Display_Algorithm
https://www.chromium.org/developers/design-documents/idn-in-google-chrome#TOC-
Google-Chrome-s-IDN-policy
However, for big commercial companies, it is not a solution, it is a solution for just end users.
Figure 8
Therefore, taking into consideration of each letters IDN characters combinations, the big
companies should buy possible IDNs before the attackers or if the company is small-size or
medium-size, can generate each IDN for their main domain addresses, and add them their
blacklist.
6. 6
For instance, for aslanbank.com example, there are more than 100 IDN possibilities, to
protect the customers, it is more logical to buy these possible IDNs, and for the other
possible IDNs such as subdomains, it is a solution to add them to the blacklist and report
them as a spam. Therefore, for big commercial companies' customers, the generation of the
possible IDNs is the key element for the homograph attack.