Domain Hijacking Impersonation Campaigns

A number of domain “forgeries” or tricky, translated look-alikes have been observed recently. These attack campaigns cleverly abuse International Domain Names (IDN) which, once translated into ASCII in a standard browser, result in the appearance of a corporate or organization name that allows the targeting of such organization’s domains for impersonation or hijacking. This attack has been researched and defined in past campaigns as an IDN homograph attack.

The interesting part of this attack is that it allows bad actors to hijack the targeted organization’s domain without actually hijacking it. As seen in past campaigns, in order to hijack a domain, malicious users must compromise the targeted entity’s domain guardian, which is usually a name registrar, an administrator or web marketing department within the organization. Malicious users would proceed with different attack vectors in order to obtain credentials that allow the transferring or redirection of such domains. One of the popular attack vectors against an organization’s internet domain was DNS hijacking, which allows malicious actors to find technical ways of tampering or subverting a company’s DNS in order to redirect it to another hosted site, subsequently targeting redirected victims with different attack vectors (Drive By downloads, Phishing, Impersonation, etc).

Malicious actors have cleverly devised a way to use International Domain Names that, when translated into ASCII on standard browsers, look exactly like the targeted organization. Next, malicious actors proceed to register a targeted organization’s domain and get SSL/TLS certificates. Once these are translated into browsers, it is very difficult, and almost impossible, to notice the difference. Previous work from researcher Xudong Zeng of Symantec and recent research by IronGeek and Brian Krebs give a good example of how the use of IDNs can be effective when trying to impersonate a targeted entity.

Figure below show a simple translation tool.

The above example shows a domain name of a known cryptocurrency exchange which was recently targeted, according to TheNextWeb. Malicious actors used an IDN, cloned the site, purchased SSL/TLS certificates and proceeded to present a clone site to trick victims.

Figure Shows cloned site punycode/IDN site.

Figure Shows translated ID with secure icon on browser.

As seen on both images above, this type of attack is very difficult to detect, even for a detailed observer.

How can we defend against these types of attacks? 

Although these type of attacks are very difficult to detect by standard users, they don’t represent direct compromises of actual internet domains. Still, there are measures that can be taken in order to protect against them.

• Protect your domain registrars’ accounts so they cannot be compromised and your domain redirected. (Multiple Factor Authentication, Complex Passwords, Private Registrations)
• Select reputable domain registrars that will have support and legal weight in case of domain misappropriation/dispute.
• Monitor for impersonation and registration of rogue/non-standard character domains that may be used against your organization. Here is an IDN checker website that can provide information on possible suspicious IDN registration that match an internet domain when translated to English alphabet.
• Use tools such as Domain Lock to prevent transfers.. Also, DNSSEC (DNS secure verification of actual domain and name servers) can help users to detect impersonating sites and deter malicious actors.
• Properly document your domain. It is not far-fetched that malicious actors can, at one point, attempt to claim ownership based on previous registration or other geopolitical factors.
• Utilize web filters and blacklists to help prevent some of these attacks.

For users:

• Do not install mobile applications outside of authorized application stores. This attack is even more difficult to detect on mobiles.
• Install punycode alert add-ons from internet browsers’ authorized stores.

Fig Shows Punycode alert chrome add-on.