Hackers are flooding the Internet with more and more fake domain names. Here’s how to protect yourself



A new report released on Wednesday shows that the use of fake internet domain names to trick consumers into disclosing personal information is more prevalent than experts originally believed.

This is largely due to the increased use of Internationalized Domain Names (IDNs), which use carefully designed homographs to look exactly like their English counterparts. Hackers create domain names that replace an English-language character with a similar character from another language – by replacing the Latin letter “a” with the Cyrillic letter “a”, for example – in order to attract users to fake websites where they are asked to enter their personal information.

The report by cybersecurity firm Farsight Security identified 125 different websites, from social media giants like Facebook and Twitter to luxury brands like Gucci and financial sites like Wells Fargo, mimicked by fake domain addresses. Between October 17 and January 10, the group observed more than 116,000 domains imitating these sites in real time.

Security systems are often unable to detect this problem before the hack occurs, according to the report.

“This problem got worse than we thought, faster than we thought,” said Paul Vixie, president and CEO of Farsight Security and one of the developers of the domain name system that configures the addresses. IP in readable domain names.

Why were IDNs created?
Scammers have been using bogus or confusing domain names since the beginning of the internet. But with the introduction of IDNs in May 2010, the problem has become much more prevalent.

The developers created the Internationalized Domain Name System (IDN) to bridge the gap between English speakers and non-English speakers using the Internet. It allows anyone to create and register domain names using character sets in different languages.

But cybercriminals also use the IDN system to lure consumers to phishing websites that look exactly like the ones they intended to visit.

“It is now used despite the prior knowledge of experts, it is now widely abused against major domain names,” said Vixie.

Vixie said that when DNS was first released, it was not secure enough to be used by anyone who wanted to access the internet.

“It came out of the lab and into people’s pockets about a decade earlier than it should have been allowed to,” he said. “But I guess there is money to be made, so we did it.”

How it works:
Take a popular financial site like BankofAmerica.com. Cybercriminals take this domain and change a character, like the Latin letter “a” to a similar Cyrillic letter “a” – and create a website that looks amazingly like the original Bank of America page.

A user enters their login information and password on this fake Bank of America site, automatically giving cybercriminals their credentials to log in to the real one. IDN homographs are also sometimes used to introduce spam or malware onto a user’s device.
Below is a list of suspicious IDNs identified by Farsight Security mimicking the original Bank of America site:

Above, the left column shows how hackers get similar IDN homographs “under the hood”. The right side shows how the same domain name would actually appear to the average user in a web browser or email hyperlink.

A famous example is the phishing email that Campaign Chairman Clinton John Podesta received in 2016 claiming that a Google user attempted to access his account. It included a link allowing him to change his password. Podesta followed the link and changed the password, giving hackers access to his entire Google account, CNN reported.

According to the International Data Group (IDG), many email providers scan messages for the word “password” because it is often used in malicious emails. Providers like Google often attach a warning to the email that it looks like spam. But if the word “password” is written with a Cyrillic “o”, as in the email John Podesta received, the message will pass through the filter. According to the IDG, homographs were combined with other advanced attack email methods during the Democratic National Convention hack.

Below is the copy of the email received by Podesta, obtained by Wikileaks:

A phishing email directed to John Podesta, former President of Hillary Clinton's presidential campaign.  The email was obtained by WikiLeaks.

A phishing email directed to John Podesta, former President of Hillary Clinton’s presidential campaign. The email was obtained by WikiLeaks.

Who is behind these attacks?
Russian government hackers were behind the robbery of the Democratic National Convention computer, which gave them access to the opposition database of research on Donald Trump, Crowdstrike co-founder Dmitri said Alperovitch at PBS Newshour in June 2016. Crowdstrike investigated the intelligence breach for the DNC. . The Russian government denies any involvement.

Some of the threats may be nation-state-related, but the majority of attacks via IDN homographs come from isolated cybercriminals, said Rick Holland, vice president of strategy at Digital Shadows, a watchdog group that monitors and remediate. Internet security risks.

And while sometimes the target is a nation as a whole, it’s really the “people who are in our individual circles in our lives who are likely to be affected by this; it will be a cybercriminal who uses IDNs to steal money from my father, ”Holland said.

How to protect yourself

Fortunately, most popular website browsers like Google Chrome and Mozilla Firefox already have security measures in place to notify users that they may be visiting a suspicious website. But last April, security researcher Xudong Zheng discovered that these browsers could not report a fake domain name for “аррӏе.com” which used all Latin characters in the Cyrillic alphabet.

Most phishing attempts reach Internet users via email. You should therefore be wary of emails containing “distressing or tantalizing statements to elicit an immediate reaction” or login links to different accounts combined with requests to update information, warns the Farsight Security report.

The report also warns that you should enable the Safe Browsing feature if it is available and monitor the web browser while it is loading. For sites that require a password, the URL should start with “https: //” instead of “http: //” – or, the browser should display a green padlock. Watch the URL to make sure it doesn’t change unexpectedly after clicking the link, and enable two-factor authentication for all websites that support it.

It’s also important to be familiar with how a browser handles IDNs in general, according to the report. Chrome has a page here explaining the process.

And after?

Experts say this problem will only get worse because ordinary people don’t know or think about how to protect themselves when online.

Tech companies like Google are doing what they can to make sure this doesn’t happen to their users, Vixie said, but there’s no simple software or 10-step process to avoid it altogether. be the victim of a phishing scheme.

“This problem cannot be technically solved once and for all, there is simply no quick fix that can fix this problem overnight,” said Thomas Rid, professor of strategic studies at Johns Hopkins who did not participate in the study. Rid said one way to avoid falling victim to a phishing scheme is to simply not click on a link that you think is suspicious.

But Holland believes the security community can do more to protect consumers. He believes content and network providers should do more to identify suspicious activity. “In the age of big data, the capabilities are there,” he said.

“We should build security measures into these browsers and enable them by default, without forcing you to add anything else,” Holland said, adding that two-factor authentication should be enabled automatically for all public applications.

“It’s going to be the status quo or get worse, because for the 90 percent of ordinary people who just don’t know what to do, there isn’t enough transparent security in place to help them.”


Previous Sci-Hub loses domain names, but remains resilient * TorrentFreak
Next Domain names: the dangers of the "snap" | Hogan Lovells

No Comment

Leave a reply

Your email address will not be published.