Showing posts with label phishing. Show all posts
Showing posts with label phishing. Show all posts

Thursday, May 18, 2017

Second update: ".brands" & Homograph attacks

UPDATE: the two examples of homographs below for Apple and Epic now appear "in real" in the Chrome and Edge (Microsoft) Browsers. These browsers must have received an upgrade recently. This was not the case at the time of this first publication e few days ago. The fake sites can still be viewed on the Chrome version of Chromebooks (5/18/2017).

The article:

Many Trademarks applied for their own ".brand" domain name extension but very few use them, and why would they if they are already installed with their legacy “.com” domain? IDN Homograph attacks are a good reason to start migrate to (and promote) a .BRAND new gTLD. Read why below.

With traditional domain name extensions, open for domain name registration to the public, anyone can register a domain name: no need to ask anyone the permission. An attacker is free to register the exact same domain name as a trademark and unless the trademark’s owner notices, few will pay attention. It is what attackers often do but this is not possible with “.brand” domain names.

Why it matters
The reason why it matters for Trademarks and their consumers is that it is this restricted access to registering “.brand” domain names that makes a huge difference in terms of security: Attackers don’t have access to them. When a .BRAND new gTLD applicants makes the move to use its personalized extension only and informs its clients, it greatly increases their security:
  • Buying online;
  • Certifying the information that they read.

Two more levels of security
With .BRAND new gTLDs, two more level of security are offered to online consumers and will incite an attacker to use another domain name extension since he won’t be able to have access to registering such “.brand” domains:
  1. Homograph attacks free
    An attacker will be able to launch a phishing or an homograph attack using any open extension but if he will be able to cheat, hiding inside the second level domain name using homoglyphs or mistypes, he won’t be able to do it with a “.brand” domain name. No one but the owner of the .BRAND new gTLD can create domain names. In regard to standard phishing attacks faking “.brand” domains, a consumer will always have the ultimate alternative to double check the hyperlink but does it really matter here since double checking if it ends with the right extension is enough?
    Remember: the attacker cannot use a .BRAND new gTLD.
  2. A seal: the extension is the Trademark
    With a client being trained by the Trademark (the “.brand” new gTLD applicant) to visit hyperlinks ending in a “.brand” domain name extension, he becomes used to it so the ending of an email received or a website visited certifies that the content is from the Trademark. Again here, attackers cannot register such domains so wherever the link points to: the received of an email or the reader of a website has the capacity to double check what the domain name extension is.
    Remember: the .BRAND new gTLD is the seal that confirms that what you read is legitimate.

Phishing and Homograph attacks

Phishing attacks
In a Phishing attack, you would receive an email asking you to click on hyperlink - which title would be “click here” - clicking would take you to a fake website (asking money or information). Such links can be double checked, passing the mouse on the hyperlink, so it becomes possible to see the real hyperlink prior to clicking. Some more sophisticated phishing attacks even offer mistyped domain names such as GuiІІ (fake site) for (real site). Note that the two letters “l” in the fake site are in fact two decimal “i”, a letter of the cyrillic script (it also works with “0” replacing “o”). When you pass your mouse on the hyperlink, you will note that the domain name shows two “i” (instead of two “l”). Phishing attacks are in fact spam campaigns asking you to click on a hyperlink to take you to a fake website.
Remember: you can double check the link in your browser bar (URL bar).

Homograph attacks
Homograph attacks are the same but the problem is that the link you are asked to click the exact same in your address bar “visually speaking”. Homoglyphs are used here: they are words which letters’ shapes appear identical or very similar one to the other: International Domain Names (IDNs) are used for homograph attacks. A recent example given in the press was “” (real site), which is also “” and “” (fake site). Try the two of them in your address bar and you will note that both read to “” in your address bar. The problem? They are two different websites under the exact same “.com” domain name. Imagine such an attack using your domain name: scary isn’t it?
Remember: you cannot double check the link in your browser bar (URL bar), you must double check it before you click.

Why change now?
If .BRAND new gTLD applicants still don’t know what to do with their own domain name extension, changing now allows:
  • To start training and informing their consumers to visit a new website: “this takes time”;
  • To homogenize their domain name portfolio and stop registering more domain names they will never use: there will probably be more domain name extensions created in the future and unless I am wrong, this means more domain names to register for any Trademark who wants to secure its assets.
  • To enhance their consumers’ level of security: chances are high that attacks’ level of sophistication will not lower in the future and “.brand” domain names are a barrier to homograph attacks.
The most frustrating reason why migrating to a .BRAND new gTLD today is that consumers - you - don’t stand a chance to face a sophisticated homograph attack. For example, receiving a picture in an email does not always show the URL prior to clicking on it. It means that if you click, you could be taken to a website with the right domain name and the exact same content as the one from your bank. How will you be able to know that you are on the right website? Once you've submitted your login and password?

Banks should consider
Banks who did not (yet) apply for their own domain name extension should consider using a .BANK domain name for the same reason. Attackers cannot have access to “.bank” domain names since these are restricted to banks. In one word, it means that a bank can drastically increase its level of online security by using an extension which is not open to the public, like the popular “.com” domain name extension is. Some other extensions, like the .MUSEUM legacy gTLD, for example, prevents homograph attacks by restricting which characters can be used in domain names (source Wikipedia).

Making sense
Migrating to a single .BRAND new domain name extension makes sense if:
  • All other domain names are redirected to new “.brand” domains so existing users are trained to visiting the new URLs;
  • Existing and new clients are informed about this change early in advance so it does not cause more confusion;
  • Existing and new clients are explained that all other information coming from other domain name extensions (emails or websites) are not certified coming from the Trademark.
The objective of such move is to:
  1. Guarantee visitors the highest level of security;
  2. Lower the level of confusion due to the important number of new domain name extensions created;
  3. Increase the level of trust with one single source of information.
Attackers can use any second level domain from any extension open to the public, and which accepts IDNs, to organize and launch an homograph attack. Trademarks owning their personalized .BRAND extension are the one to control which domain name is registered so this cannot happen (unless it wants to). Still not convinced? Click here: https://аррӏе.com/

Register your Trademark using an agent.