Phishing with internationalized domains

Feb 12 18

While on a train this morning, one of my close friends sent me this WhatsApp message:

Adidas Shoes WhatsApp Message

The person who sent it to me is not usually someone to send out scams or spam, but, to me at least, this message, did not look legit. It smelled strongly of a phishing scam.

However, it was a link to adidas.com/shoes – so how was this going to phish me?
Of course they are not giving away 3000 free pairs of shoes! Are they?

Cautiously, I pressed on the link.
Obviously, I didn’t end up on adidas.com
Clicking on the link, I’m redirected to http://xn--adids-m11b.com/shoes – which contained a registration form, asking for all manner of personal details to claim my ‘free pair of shoes’

But, how did they get the link http://adidas.com/shoes to redirect to this dodgy site from WhatsApp?
Was Adidas hacked? No.
Can you change the text of a hyperlink in WhatsApp? No. (I tried)

The thing is, it’s not a link to adidas.com
It’s a link to adidạs.com

Two very different URLs indeed.
Look closely at the second ‘a’ in the domain. It’s not an a. It’s an ạ
More info on this character  – latin small letter a with dot below (U+1EA1)

Looking at the domain on my phone, it looks as though there’s a small mark on the screen under the ‘a’

This is known as an internationalised domain name, and this specific kind of ‘attack’ is a IDN Homograph (or homoglyph) Attack – https://en.wikipedia.org/wiki/IDN_homograph_attack

This technique is similar to some personalised, or “cherished” vehicle number plates in the UK.
A fine example of such a number plate is:

4lex number plate

The 4 is supposed to look like an ‘A’ in this particular example.
This is known as a Homoglyph – where 2 characters look alike.

So what’s the deal with xn--adids-m11b?

xn--adids-m11b is punycode – which when converted in to unicode, is adidạs

Punycode is a representation of Unicode with the limited ASCII character subset used for Internet host names

(thanks to Wikipedia)

You can try that out with this Punycode converter:
https://www.name.com/punycode-converter

Just how dangerous is it?

For example, Chrome, and most other browsers will display the puny-code domain in the status bar when hovering over an href:

IDN Chrome Link

Safari, for example, can’t display the IDN at all:

safari idn

However, some chat-applications (WhatsApp included at the time of writing) display the link as it was written.

Redirection

The first warning sign something is up – the redirection, or perceived redirection from adidạs.com to the punycode equivalent.

But for a lot of people, particularly those who are not tech-savvy, this small detail may go unnoticed. Particularly if the URL bar is hidden on some mobiles.

So the vector of attack (at least successful attack) relies on the user not noticing the punycode domain it is actually resolved to (or not caring – because they’re excited to receive the promised offer for example)
Or, more likely, them not understanding the correlation between what they click on, and where they end up.

Another technique IDN attacks deploy is a quick redirect to a similar but believable domain name.
In our adidạs.com/shoes example, the attacker could have registered something such as adidas-shoes.gifts
.gifts is a generic top level domain, just like .com .co.uk .org etc…

Now, setting the puny-code domain (xn--adids-m11b.com) to redirect to adidas-shoes.gifts – would create something that looks more realistic – at least to those a little less tech-savvy.

y tho

As I mentioned, in the Adidas example, they were phishing my personal data.
But these sites could quite easily display an official looking login page to that site (capturing your username / password)
Or a ‘buy now’ page – harvesting your credit card details.

The fact they have their victims trust that they are on the legitimate brand site means they are free to essentially do what they want.

Setting up a Verium miner on Ubuntu

Jan 21 18

Verium is A CPU mineable Digital Commodity – unlike most other crypto currencies which require GPU / ASIC mining rigs.

I currently have an under-utilised ‘cloud platform’ subscription, so decided to set up a VM and join a mining pool, to mine this currency.

I used a Linux (Ubuntu) VM for this, other flavours are available, but the commands will differ slightly:

First of all, you’ll need an account with the mining pool.
This blog post somewhat paraphrases the instructions on the getting started guide.

However, I’m focusing more on the installation / running of the miner.

For the purposes of the rest of this post, I’m going to assume you’ve got a mining pool account, and wallet set up.
You’ll also need to have created a worker (with username, password)

Installing and running the miner

SSH into the VM, then we’ll install the required packages.
sudo apt-get update
sudo apt-get -y install automake autoconf pkg-config libcurl4-openssl-dev libjansson-dev libssl-dev libgmp-dev zlib1g-dev

Now, cd into a directory where you want your miner to live.
(I put mine in the home dir)

git clone https://github.com/effectsToCause/veriumMiner
cd veriumMiner

There’s a handy build shell script we can run to do the actual building from source:
./build.sh

Finally, we can start the miner
Note, your actual parameters will vary dependent on expected hashrate, your user/pass for your worker etc…

./cpuminer -B -n 1048576 -o stratum+tcp://eu.vrm.mining-pool.ovh: -u -p

The -B parameter denotes ‘Background’ so it is safe to close the SSH session, and the miner will continue to run.

Back over on your mining pool account, you should now be able to see your worker(s) set up, along with their current hashrate (Hash/m)

Profit!

Getting paid

Your payments will go into your wallet address you specified (during the setup of your account)

The ‘Debit AP’ column shows how much has been sent to your wallet.

Verium - earnings

Search git branch names using command line

Dec 15 17

Looking for a particular branch, and git branch -a returns a LOT of branches?
If on Windows, you could use the Search feature in cmder (you’re using cmder, right?)

Or on mac, cmd+f and then search the outputted text…

OR you could use one of these two approaches:

1)
git branch takes a --list argument , which in turn takes a search arg.
Example:

git branch -a --list *something*

Will return only the branches containing the word “something” (note the wildcard character)

2)
The alternative, if in bash / bash compatible terminal (git bash / cmder etc… on Windows – normal Command Prompt won’t work – unless you’ve got bash extensions installed) is to pipe the result to grep:

git branch -a | grep something

Both methods here will yield the same results.

Side note:
-a shows all local and remote branches
-r shows only remote branches

Personal Profile Sites

Nov 30 17

Recently, I’ve been looking in to ‘personal profile sites’ and what they can potentially do for someones internet reputation.

Cohoda LTD are currently running an experiment for a long-term client, Andy Britnell.

Between us, we’ve thrown together andy-britnell.com to see what positive effect on his personal profile we can build from a single, one page site.

If this experiment is successful, I’ll look at doing more personal profile sites – including one for myself.

I see them as extensions of linked in profiles – where by anyone can see the information, without having to be a LinkedIn member.

Andy Britnell - Personal profile site

VS Code “deletes 3 months” of guys work

Aug 21 17

Recently, someone with the GitHub username eliecerthoms reported an incredibly unfortunate issue with VS Code.
It actually stems from his complete misunderstanding of git.

A classic case of RTFM