Security Experts:

A Zero-Day Homograph Domain Name Attack

What started as almost casual research in November 2019 and disclosed to various vendors as a vulnerability in November and December 2019 and January 2020 was abruptly reclassified and treated as a zero-day vulnerability on February 13, 2020.

The vulnerability is the ability to register almost exact lookalike domain names. This is known as a homograph or homoglyph attack and has existed for many years. Simple attacks would attempt to register a domain using similar Latin characters -- for example G00GLE.COM to look like GOOGLE.COM. The first example uses zeros rather than the correct letter Os; and a successfully registered lookalike domain would likely be used as a malicious phishing site. The weakness in this attack is that a discerning eye can readily spot lookalike Latin characters, and major brands have themselves registered the most obvious look-alikes to keep them safe.

More advanced attacks have attempted to mix Latin characters with different but almost exactly similar characters from different language character sets. For example, the Voiced Velar Stop character is effectively indistinguishable from its Latin counterpart ('g'), and similar could be said for the Latin Alpha character compared to Latin 'a'. To foil such attacks, ICANN has a policy that prohibits any potential internationalized TLD from choosing letters that could resemble an existing Latin TLD.

This should prevent the more advanced homoglyph attacks -- but Matt Hamilton, principal researcher with DevSecOps specialist Soluble, wanted to know if homoglyph characters could be used in bucket names, and therefore subdomains. His research, in conjunction with Bishop Fox, found they could.

Soluble disclosed this as a vulnerability to Amazon, Google, Wasabi, Verisign and DigitalOcean. To date, only Amazon and Verisign have implemented a fix. Google (November 2019) and Wasabi (December 2019) acknowledged receipt of the vulnerability report, but have not otherwise responded. DigitalOcean confirmed receipt in January 2020, but replied in February, "we view this a very low risk for our users at this time."

However, about one week later, Soluble upgraded its view of the issue from a 'vulnerability' to a 'zero-day vulnerability', and notified Verisign, Google, Amazon, Wasabi and DigitalOcean that they had seven days to fix the issue before Soluble's public disclosure. In the event, this was extended because Verisign recognized the issue and asked for additional time to implement a fix.

The reason for the upgrade to zero-day status was effectively twofold. Firstly, Hamilton successfully registered a range of 27 major brand domains using IPA Extension homoglyph characters that are essentially indistinguishable from the correct domain names. These include amazon.com, salesforce.com, gmail.com, washingtonpost.com, android.com, netflix.com and similar. "Cost?" asks the report; "$400. Value? Priceless."

This alone, while concerning, does not warrant the epithet 'zero-day'. However, Hamilton also developed a script that facilitates domain permutations using homoglyph characters, and thereby helps locate such domains already registered. "It was discovered," he notes in his report, "that between 2017 and the present, third-parties had registered and generated HTTPS certificates for 15 of the 300 tested domains using this homoglyph technique. Additionally, one instance of a homoglyph domain hosting an unofficial and presumed malicious jQuery library was found."

So, this is not merely a vulnerability, it is one that has been actively used over the last few years -- it is, in normal parlance, active in the wild. Hamilton does not, however, believe the process has had widespread malicious use. "My speculation," he says, "is that this vulnerability was only used in highly-targeted social engineering campaigns. I will further speculate that, based on the CT logs and recent browser changes in handling Unicode in URLs, abuse of this vulnerability was likely more prevalent 3+ years ago than it is today."

Only Amazon and Verisign have fixed the issue to prevent any future abuse. In a statement, Verisign said, "Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report."

Related: Punycode Makes SMiShing Attacks More Deceiving 

Related: Chrome, Firefox Users Exposed to Unicode Domain Phishing 

Related: Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers 

Related: To Err is Human. To Squat is Criminal 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.