Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to analyze Punycode fishing attack

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

How to analyze Punycode fishing attacks, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

0x01 Punycode phishing attack 1.1.What is phishing?

Phishing (Phishing, also known as fishing or fishing attack) is an attack by sending a large number of fraudulent spam messages claiming to come from banks or other well-known institutions in an attempt to entice the recipient to give sensitive information (such as user name, password, account ID, ATM PIN code, or credit card details).

Attackers use fraudulent e-mails and fake Web sites to carry out network fraud, and the victims often disclose their own personal information, such as credit card number, bank card account, identity ID number and so on. Fraudsters often disguise themselves as credible brands such as online banks, online retailers and credit card companies to defraud users of private information.

PS: answer from Baidu Encyclopedia

For example, the common email spoofing, also known as phishing mail attacks, is the main threat in the use of e-mail.

How to see through email fraud at a glance? In fact, as long as you are careful, you can find it.

Sense of urgency-the email claims that there will be serious consequences if you don't reply to the password or click on the link.

Spelling errors-there are obvious or deliberate spelling errors in the message to avoid security checks for spam filters.

Send and reply addresses are different-the email claims to be from "A.com", but the reply address is "B.com".

Products or services are inconsistent-Tencent QQ sent an email saying that your Momo account is at risk.

Character similarity confusion-boss@a.com and b0ss@a.com, do you find any difference?

1.2 what are the possible hazards of fishing?

For example:

The file hides the real module in the picture resources carried by itself through PNG steganography technology, dynamically extracts the malicious module from the picture at run time, and then loads and executes it directly in memory (PE).

1.3 four steps for fishing

Look at the sky

According to different countries or regions, look at the current national conditions and current events, find which targets and groups are suitable for fishing attacks, and carry out fixed-point fishing.

Selection of rod

Select a specific target group.

Make bait

Make seductive documents, pictures (steganography), Trojans, execution files, and other fishing tools (free from killing).

Go to the big fish

Finally, just wait for the stupid fish to take the bait.

Introduction to 0x02 Punycode phishing attack

Phishing attacks are "almost impossible to detect", and even normally cautious users may not be able to escape fraud.

In some phishing scenarios, hackers can take advantage of known vulnerabilities in Chrome, Firefox and Opera browsers to disguise fake domain names as Apple, Google or Amazon sites to steal users' login credentials, financial credentials or other sensitive information.

2.1 homonym attack

Homonym attacks have been known since 2001, but browser makers have struggled to fix the problem. This spoofing attack is that the URL appears to be legitimate, but it is not, because one or more of the characters have been replaced by Unicode characters.

Many Unicode characters, which represent Greek, Slavic and Armenian letters in international domain names, look like Latin letters, but computers process them into completely different web addresses.

For example, the Slavic letters "letters" (Utre0430) and the Latin letters "a" (Utre0041) are processed by browsers as different characters, but both appear as "a" in the address bar.

Note:

Early DNS (Domain Name System) only supports English domain name resolution. The coded character set of a domain name is an ASCII code. After the launch of IDNs (internationalized domain name international domain names), in order to ensure compatibility with the previous DNS, the transcoded punycode consists of 26 English letters + 10 numbers and'- 'after punycode transcoding of IDNs.

ASCII code: ASCII code is a computer programming system based on the Latin alphabet and is mainly used to display modern English and other Western European languages. It is designed to represent a character in 1 byte, so the ASCII code table can only represent a maximum of 256 characters. In fact, there are only 128 characters in the ASCII code table, and the remaining 128 characters are reserved for extension.

Unicode: with the formation and development of the Internet in the world, people from all countries begin to have the need to communicate with each other. But there is a problem at this time. The character coding tables used in each country are different. At this time, people want to have a unified character coding table to store the characters and symbols used by all countries, which is Unicode. Unicode, also known as Unicode, Universal Code and single Code, is produced to solve the limitations of traditional character coding schemes. it sets a unified binary code for each character in each language. Unicode stipulates that all characters and symbols are represented by at least 2 bytes (16 bits), so the minimum number of characters that Unicode codes can represent is 2 characters 16 characters 65536.

IDN: international domain name (English: Internationalized Domain Name, abbreviation: IDN), also known as special character domain name, is an Internet domain name made up of some or all special characters or letters, including non-English letters such as French, Chinese, Slavic, Tamil, Hebrew or Latin letters, which are compiled by multi-byte universal codes. The domain name of IDN uses the unicode character set.

Calculate the similarity with well-known web sites

At this time, the domain name to be tested is mapped to a similar domain name that is all possible. At this time, the domain name of the well-known URL of top2w is intersected with this similar domain name. If the domain name is derived from the IDN domain name, as long as the domain name intersects with a well-known website, the domain name is considered to be highly suspected of forgery, because the frequent use of IDN domain names is usually suspected of forgery.

If the domain name is not derived from the IDN domain name, determine whether the number of domain names intersecting with the well-known website domain name is 1 (the meaning here is that the forged domain name is highly targeted) and determine whether the editing distance between the two domain names is 1.

Because the domain names in some well-known websites are very similar, if this "malicious" domain name is similar to multiple well-known website domain names, it reflects that they are not targeted and are more prone to false positives.

In addition, according to statistics, 90% of domain name forgery has an editing distance equal to 1, that is, most forged domain names will only replace one of the characters (after all, it is easier for people to detect the difference when there are more character substitutions).

2.2 where do the vulnerabilities in Chrome, Firefox, and Opera browsers come from?

After testing that Chrome, Firefox and Opera can display Unicode characters directly in the address bar, we can register the Punycode transcoded domain name corresponding to the Unicode domain name, and the Unicode character will be displayed directly after entering the URL in the browser.

Generally speaking, after we open a strange page, we will check the address bar after the browser loads to see if the address is provided by a valid HTTPS connection or if the domain name is a real domain name (for example: www.baidu.com). Right?

This time, we mainly want to talk about the use of Punycode transcoded domain name, forgery and deception. The page was created by Xudong Zheng, a Chinese security researcher who discovered the attack. Click to see it.

Www.xn--80ak6aa92e.com

So, let's analyze, ha, we originally wanted to access the browser, it can be directly parsed by the browser as: www.apple.com.

First, take a look at what www.xn--80ak6aa92e.com looks like after it is resolved into a Chinese domain name, as follows:

If Google is installed, please uninstall the current version (I am the latest version here) and then install 56.0.2906.0_chrome64_canary_windows_installer.exe (offline installation version). At this point, after we access www.xn--80ak6aa92e.com in the old version of Google browser (56), the old version of Google browser (56) will be automatically restored to www.apple.com. Our browsers are vulnerable to "homonym attacks".

Because 56.0.2906.0_chrome64_canary_windows_installer.exe browsers only convert Unicode encodings used in a single language to Ponycode URL (such as Chinese or Japanese), but if a domain name contains characters from multiple languages, the browser cannot distinguish it.

So, why don't we try to visit www.xn--80ak6aa92e.com again with the latest version of Google browser (the latest version of this blogger is 83.0.4103.61)? Let's see how it turns out.

From the figure above, we can see that the browser did not forward the URL domain name to www.apple.com, which shows that the vulnerability has been fixed in the new version.

Google has fixed this vulnerability in Chrome Canary 59 and will provide a permanent fix when Chrome Stable 58 is released.

At the same time, it is recommended that users who may be affected by this phishing attack temporarily turn off Punycode support in their browsers to identify phishing domain names and mitigate this attack.

The attack method of Punycode has two obvious advantages, which are often chosen by attackers to attack:

Masquarading: it is difficult to distinguish a normal domain name from a domain name disguised by punycode from the naked eye, and the success rate of phishing is very high.

Evasion: from the perspective of security protection, domain names with keywords are usually whitelisted to avoid a wide range of false positives, so they can effectively bypass the threat intelligence detection of security protection products.

2.3 how to defend against Punycode phishing attacks?

Users should be vigilant before clicking on any links shared through text messages or IM applications, even if they come from a trusted contact. IDN format display is controlled by browser design, and end users have limitations in controlling how URL is displayed. The main and most effective method is to use the password manager to check the URL before entering the password, which can effectively reduce the chance for users to enter credentials to homonym phishing sites. The secondary check will effectively detect the URL to see if there is any significant character switching.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report