Thanks to a bug in some of the most registered domains on the internet, bad actors have been able to register malicious domains until late this month.
If I told you to click on this URL, amɑzon.com, and login for a great limited time deal with Amazon, would you notice that it’s not really Amazon’s domain name?
Hover over it, give it a click. You will find that it actually orders you to go to xn-amzon-1jc.com. Why? Look closely and notice that the second “a” and the “or” are not really the letters “a” and “or” from the Latin alphabet, which is what is used in English.
It should not be possible to register these domain names due to malicious attacks they may use. Many web browsers change the URL characters from Unicode to Punycode, as seen in the previous example, for real reasons.
The zero-day, or previously unknown, bug was discovered by Matt Hamilton, a security researcher at Soluble, in collaboration with security firm Bishop Fox.
According to Hamilton’s research, he registered dozens of names using Latin homoglyphs, usually a character that looked like a different character. Verisign, Google, Amazon, DigitalOcean, and Wasabi are among the affected companies that allow registration of these names.
“Between 2017 and today, more than a dozen domains of homography have active HTTPS certificates,” Hamilton wrote. “It includes well-known financials, internet shopping, technology, and other Fortune 100 sites. There is no legal or counterfeit justification for this activity.”
Hamilton held his report for publication until Verisign, the company that runs domain registrations for known general top-level domains (gTLD) such as .com and .net, fixed the issue. The research was conducted only on gTLDs run by Verisign. He said that of all the vendors he contacted, Amazon and Verisign took the issue very seriously.
In the particular Cyrillic alphabet, there are a number of letters that appear to be identical to the letters in the Latin alphabet. For example, here is the character for “a” in Latin. Here is the character for “ɑ” in Cyrillic.
Combining homoglyph characters with the Latin alphabet in a domain name can create a URL that looks like one already registered by another company, such as the fake Amazon domain mentioned earlier.
Hackers can use these domain names to create phishing websites that look like legitimate sites for services like Gmail or PayPal. An attack can steal a user’s website password or credit card information using this information.
Hamilton was able to register with the following domain names thanks to this bug:
amɑzon.com
chɑse.com
sɑlesforce.com
ɡmɑil.com
ɑppɩe.com
ebɑy.com
ɡstatic.com
steɑmpowered.com
theɡuardian.com
theverɡe.com
washinɡtonpost.com
pɑypɑɩ.com
wɑlmɑrt.com
wɑsɑbisys.com
yɑhoo.com
cɩoudfɩare.com
deɩɩ.com
gmɑiɩ.com
gooɡleapis.com
huffinɡtonpost.com
instaɡram.com
microsoftonɩine.com
ɑmɑzonɑws.com
ɑndroid.com
netfɩix.com
nvidiɑ.com
ɡoogɩe.com
In total, he spent $ 400 to register domain names that could be used to scam people much, much more.
International domain names, or IDNs, have become popular in recent years. These domains allow users around the world to register names in their own language, such as Greek or Japanese, where you can find non-Latin characters.
However, infectious actors are quickly discovering ways to use IDNs for attacks.
As Bleeping Computer points out, the Internet Corporation for Designated Names and Numbers (ICANN), the organization that manages the web domain system, has IDN guidelines that domain registrations should not allow domains which is registered using a combination of different alphabets for this very reason.
It’s not a new skill, though. The Registry lists how homography attacks have been an issue for the web for 15 years.
As for amɑzon.com, or should I say xn-amzon-1jc.com, since Hamilton transferred the domain to Amazon, the company located on real amazon.com.
