Go Back   Rage3D » Rage3D Discussion Area » Community and Site Discussions » Front Page News » Submit News
Rage3D Subscribe Register FAQ Members List Calendar Mark Forums Read

Submit News Use this forum to submit News items to Rage3D. Acceptable News items you post in here will be moved into the main "News" forum or one of the appropriate news sub-forum categories, where it will appear on Rage3D.

Thread Tools Display Modes
Old Feb 7, 2005, 01:58 PM   #1
Advertisement (Guests Only)

Login or Register to remove this ad
Chronic Repostinator
Join Date: Dec 2001
Location: Terran Faction, Earth Sector
Posts: 5,933
tempnexus is still being judged by the masses

Default NEW SPoofing/Phishing techniques.

Ok yet another reason to use FireFox.

The state of homograph attacks

I. Background

International Domain Name [IDN] support in modern browsers allows attackers to
spoof domain name URLs + SSL certs.

II. Description

In December 2001, a paper was released describing Homograph attacks [1]. This
new attack allows an attacker/phisher to spoof the domain/URLs of businesses.
At the time this paper was written, no browsers had implemented Unicode/UTF8
domain name resolution.

Fast forward to today: Verisign has championed International Domain Names
(IDN) [2]. RACES has been replaced with PUNYCODE [3]. Every recent
gecko/khtml based browser implements IDN (which is just about every browser
except for IE; plug-in are available [5]).

III. The details

Proof of concept URL:


Clicking on any of the two links in the above webpage using anything but IE
should result in a spoofed paypal.com webpage.

The links are directed at "http://www.pаypal.com/", which the browsers
punycode handlers render as www.xn--pypal-4ve.com.

This is one example URL - - there are now many ways to display any domain name
on a browser, as there are a huge number of codepages/scripts which look very
similar to latin charsets.

Phishing attacks are the largest growing class of attacks on the internet
today. I find it amusing that one of the large early adopters of IDN offer an
'Anti-Phishing Solution' [6].

Finally, as a business trying to protect their identity, IDN makes their life
very difficult. It is expected there will be many domain name related
conflicts related to IDN.

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5

Other comment:

There are some inconsistencies with how the browsers match the host name
with the Common Name (CN) in the SSL cert. Most browsers seem to match the
punycode encoded hostname with the CN, yet a few (try to) match the raw UTF8
with the CN. In practice, this makes it impossible to provide 'SSL' services
effectively, ignoring the fact that IE doesn't yet support them.

IV. Detection

There are a few methods to detect that you are under a spoof attack. One
method is to cut & paste the url you are accessing into notepad or some other
tool (under OSX, paste into a terminal window) which will allow you to view
what character set/pagecode the string is in. You can also view the details
the SSL cert, to see if it's using a punycode wrapped version of the domain
(starting with the string 'xn-'.

V. Workaround

You can disable IDN support in mozilla products by setting 'network.enableIDN'
to false. There is no workaround known for Opera or Safari.

VI. Vendor Responses

Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear
workaround for disabling IDN.

VII. Timeline

2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005

VIII. Copyright

This paper is copyright 2005, Eric Johanson [email protected]

Assistance provided by:
- The Shmoo Group
- The Ghetto Hackers

Thank you, you know who you are.


[1] http://www.cs.technion.ac.il/~gabr/p...homograph.html
[2] http://www.verisign.com/products-ser...mes/index.html
[3] http://mct.verisign-grs.com/index.shtml
[4] http://www.verisign.com/products-ser....html#01000002
[5] http://www.idnnow.com/index.jsp
[6] http://www.verisign.com/verisign-bus...ing-solutions/
Athlon 2200+ @ (~1981) 47C/35C (idle)
GA-7VAXP (0-4 RAID 100G WD Special ED) / AX-7 w/ 4500RPM 50cfm Fan / Mushkin 512MB DDR-2700 / Radeon R200 285/285 / Lite-On 48X CDRW & Lite-on 16X DVD / C-media sound (6spk) (sold the audigy crap) / Firewire/USB 2 (preferr firewire)
"You need to delete your video card and format your modem, and install AOL on your motherboard"
"Windows is a 32-bit extensions to a 16-bit graphical shell for an 8-bit operating system originally coded for a 4-bit microprocessor by a 2-bit company that can't stand 1 bit of competition "
NOT FOLDING due to lack of $$$!! Folding costs you about $25 a month.
tempnexus is offline   Reply With Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
End of a shower techniques. Xiro Off Topic Lounge 77 Jun 27, 2007 05:51 PM
Firefox extentions: what spoofing tools are out there? UDHA Off Topic Lounge 3 May 27, 2005 04:41 PM
Weapon Techniques KageMonkey Off Topic Lounge 4 Aug 1, 2003 09:41 AM

All times are GMT -5. The time now is 09:54 PM.

Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
All trademarks used are properties of their respective owners. Copyright ©1998-2011 Rage3D.com
Links monetized by VigLink