In the past few years ,there has been a significant increase in the cyber crime across the world. New attacks make the innocent users fall in a trap of fraud. Some attacks like social engineering, have also let even non-tech savvy to attack targets. One of the application of social engineering attack is Phishing.
Some years ago, attackers found a new technique of doing Phishing, known as Homograph Attack. This attack can also be known as the Advanced Phishing. But why are we calling this attack as the advanced version of phishing attack? Because this attack is that much difficult to detect that normal person who just surfs internet can not detect it . So let us learn about this attack!
If you have some knowledge about Cyrillic Language(a language which is widely used in European countries), it has some characters like а, с, е, о, р, х and у which have same appearance as that of widely used English Language. Thus a domain like google.com in Cyrillic language will have same appearance to that of google.com in English Language(replacing only ‘o’ in google.com. Thus an attacker who wants to spoof his victim, this attack will serve the medium to make a trap as the attacker just have to register an Internationalised Domain Name(a domain name that can have Cyrillic characters) and host a page on a server to call you. Got worried? Calm down. After reading this article, you will be able to predict this attack. First of all let’s see how this attack works!
DEMONSTRATION OF THE ATTACK
We are using a tool here to form a Cyrillic domain and will send that newly formed Cyrillic domain to our target by using some social engineering techniques.
LAB SETUP
We are using Kali Linux verion 5.5.0 64-bit to install this tool.
USAGE
- Open the kali terminal, then clone the github repository by typing git clone https://github.com/UndeadSec/EvilURL.git.
git clone https://github.com/UndeadSec/EvilURL.git Cloning into 'EvilURL'… remote: Enumerating objects: 132, done. remote: Total 132 (delta 0), reused 0 (delta 0), pack-reused 132 Receiving objects: 100% (132/132), 1.18 MiB | 843.00 KiB/s, done. Resolving deltas: 100% (64/64), done.
- After cloning the repository change the current directory to the cloned one by typing the command cd EvilURL.
- Then type the command python3 evilurl.py. The tool will start in the terminal as it is a command line tool.
- Type 1 to generate an evil URL means that to generate a URL that contains Cyrillic characters
- Then it will ask you to enter the name and Top Level Domain(.com,.net,org,etc) URL for which you want to generate an evil URL. For demo purpose we will enter the URL snapchat.com.
- As soon as we will enter the details, it will generate some Evil URLs.
- Now you get all the evil URLs in which there is some characters like a, c, p, s are exchanged with either Cyrillic character or symbol. These all URLs have absolutely same appearance with their original counterpart but it is not the actually one. To try this, let’s try one of these generated URLs. See the result:
These generated results take the victim to the absolutely different URLs and now with strong social engineering technique, attacker can easily steal the credentials from a fake page hosted on this domain.
HOW CAN WE PREVENT IT?
- First of all before clicking any URL, be sure to check the URL you are clicking on. These International Domain Name have special characters and web browsers can only understand the ASCII characters. These special character need to be converted into ASCII characters before they can transmit on the internet, hence you can see from the example that Cryllic snapchat.com is being converted to another URL ,something like http://xn--nht-qzc85cc3i7g.com which never exists!
- Be sure to open the URLs that you don’t trust from the desktop web browser.
- Never trust URLs sent by from unknown sources.
