I’m always saying that everyone can be successfully ‘phished’ and it’s mostly the result of being a hapless user rather than user stupidity. As a result it's not just the ability to prevent and detect threats through activity and behaviour monitoring that is key - but also being able to investigate and respond to a new attack technique comes up that is critical for organizations.

Currently in the news is a technique that has existed for some time - several browsers are being vulnerable - so you should check whether your users have been affected that you are not aware of.

Punycode phishing attacks

What is Punycode?

Initially characters for the domains of websites (DNS) were limited to ASCII characters. As that limitation does not fit worldwide needs the internationalization of domain names was introduced. This lead to a situation today where we can use urls like www.bücher.de and other non-ASCII characters to access websites. The standard is defined in RFC3490.

How does Punycode work?

The non-ASCII characters are only introduced at the “presentation” or “application layer”. This means you can type www.bücher.de into your browser, but your browser will translate the URL underneath into “www.xn--bcher-kva.de”.

Why can it be a security issue?

Unicode domains can be used for homograph attacks. This means that an attacker can register a domain which translates through punycode into a valid looking domain in the presentation layer like www.google.de but by replacing the e with a Cyrillic character which looks similar - U-0435 (Cyrillic small letter IE)

Most browsers have homograph protection mechanism built into them. Xudong Zheng, discovered that this protection fails on most browsers if every character is replaced by only using Cyrillic characters for example. He explained it in a blog post with a proof-of-concept page. He registered the URL https://www.xn--80ak6aa92e.com which looks like www.apple.com with a valid HTTPS certificate on Chrome and Firefox.

Your users might get tricked into visiting such a website and even if they check the URL it will look correct with a green checkbox for a valid https certificate. Your users might think it’s a legitimate website and provide credentials or disclose information.

What can organizations do to protect themselves?

First, validate if the browser version that you’re utilizing in your organization is affected and if your vendor of choice provides a patch. Check if you can find a configuration option in your browser where you can disable that the URL display name is translated into punycode (Internet Explorer and Safari don’t do it by default) so if your users are well educated they have a chance to detect the malicious act. Check your log data (web proxy data, DNS server data and endpoint web surfing activity) if there are suspicious urls which are starting with http://xn--*. However having said that not every xn--* URL is malicious - all legit internationalized domains will be shown as well. Watch out in particular for https connections, post events and “logins”. Add context to the punycode domains like resolving the domain name, enrich the IP addresses with location information to find malicious locations and cross correlate threat intelligence lists. The Forensic Investigator App is your friend to speed things up. You can also utilize Splunk Enterprise Security to add context with whois information - that allows you to find out malicious registrars or connections to newly registered domains.

Happy Splunking,

Best

Matthias