National Address Symbols - A Phishing Paradise?



    Hello!

    The material of this small article was brought by another, of a similar theme, which I read quite a while ago. And I decided to play a little with a randomly caught topic and devote habronarods to my games.

    It will be today mainly about the zone. And we will play with the site of the distinguished President of the Russian Federation, for which many thanks to him!

    Of course, these “games” can be scaled for any other site with national symbols in domain names. And in general, this article is not a way to hack into the President’s site, but simply a proof and discussion of a certain moment, which is quite possible, which can be effectively used by attackers.


    INTRODUCTION
    So, it happened! On May 12, 2010, the glorious existence of zone.rf began, the first pioneers of which were the sites http: //president.rf and http: // government.rf An active public relations campaign was carried out to purchase domain names, many became their lucky owners, with a cute to the Cyrillic alphabet in the address. In principle, we already have http: // mail.rf , http: // yandeks.rf ... Nice. But there are other thoughts ...

    THEORY
    As you know, in zone.rf there is the possibility of introducing the name in Cyrillic. This is a striking example of our research today - the site president.rf.
    When you enter a name in the address bar of the Firefox browser and start, the user has the opportunity to notice the rapid appearance of a strange combination:xn - d1abbgf6aiiy.xn - p1ai No, you weren’t hit by a terrible virus and you didn’t become a fisher prey (at least for now;)) - what you see is a conversion of the Cyrillic alphabet, incomprehensible to DNS systems, into an understandable Latin alphabet in IDN representation . In fact, for DNS there was no, and there is no president.rf , there is only a strange but understandable name for the system xn - d1abbgf6aiiy.xn - p1ai . At the same time, the prefix xn-- clearly indicates that the name is presented in a kind of encoding called Punnycode .

    Proof of concept
    I looked at all this for a long time and suddenly remembered - after all, many Latin letters coincide in spelling with the Cyrillic alphabet! In total, “president.rf” can appear in several versions, since the letters “e” and “p” are exactly the same in style, but different for the system. There are four of these letters in the name, respectively, we have 2 ^ 4 = 16 variants of “president.rf” indistinguishable to the eye! Their only difference is punnycode.

    We will use a convenient online converter to illustrate our idea (I won’t give all 16 options, but I’ll do four demonstrative ones):

    http: //president.rf = http: //xn--d1abbgf6aiiy.xn--p1ai (this is the President’s real site)
    http: //president.rf = http: //xn--p-htbcbig1bj8a.xn--p1ai (fake number 1)
    http: //president.rf = http: //xn--e-htbdgf6aiiy.xn--p1ai (fake number 2)
    http: //president.rf = http: //xn--pee-oddog1bj8a.xn-- p1ai (fake number 3)

    As you can see, there is no difference in the “Russian” name. But these are different hosts both in punnycode and in nature. You can see that something is wrong by Latin letters between hyphens, for example, “xn-- pee -oddog1bj8a.xn”, but who will notice them?

    CONCLUSIONS
    As a result, we have just an ideal phishing trap: when a site is compromised, an attacker very quickly receives all the information that a user usually enters on his original site.

    At the time of writing this post, I did not find any restrictions that in such IDN domains it is basically impossible to use Latin letters. The examples at the top lead to a page stating that at the moment there is no matching host IP address with the indicated domain names. That is, they have not yet been bought. How long? ;)

    Moral:
    “How many languages ​​do you know - how many times are you human” A.P. Chekhov


    PS At the moment, from the site president.rf, automatic redirection to kremlin.ru is performed. So this article should be considered as pure Proof of concept - but with possible development;)

    Also popular now: