Phishing with internationalised domains

While on a train this morning, one of my close friends sent me this WhatsApp message:

Adidas Shoes WhatsApp Message

The person who sent it to me is not usually someone to send out scams or spam, but, to me at least, this message, did not look legit. It smelled strongly of a phishing scam.

However, it was a link to adidas.com/shoes – so how was this going to phish me?
Of course they are not giving away 3000 free pairs of shoes! Are they?

Cautiously, I pressed on the link.
Obviously, I didn’t end up on adidas.com
Clicking on the link, I’m redirected to http://xn--adids-m11b.com/shoes – which contained a registration form, asking for all manner of personal details to claim my ‘free pair of shoes’

But, how did they get the link http://adidas.com/shoes to redirect to this dodgy site from WhatsApp?
Was Adidas hacked? No.
Can you change the text of a hyperlink in WhatsApp? No. (I tried)

The thing is, it’s not a link to adidas.com
It’s a link to adidạs.com

Two very different URLs indeed.
Look closely at the second ‘a’ in the domain. It’s not an a. It’s an ạ
More info on this character  – latin small letter a with dot below (U+1EA1)

Looking at the domain on my phone, it looks as though there’s a small mark on the screen under the ‘a’

This is known as an internationalised domain name, and this specific kind of ‘attack’ is a IDN Homograph (or homoglyph) Attack – https://en.wikipedia.org/wiki/IDN_homograph_attack

This technique is similar to some personalised, or “cherished” vehicle number plates in the UK.
A fine example of such a number plate is:

4lex number plate

The 4 is supposed to look like an ‘A’ in this particular example.
This is known as a Homoglyph – where 2 characters look alike.

So what’s the deal with xn--adids-m11b?

xn--adids-m11b is punycode – which when converted in to unicode, is adidạs

Punycode is a representation of Unicode with the limited ASCII character subset used for Internet host names

(thanks to Wikipedia)

You can try that out with this Punycode converter:
https://www.name.com/punycode-converter

Just how dangerous is it?

For example, Chrome, and most other browsers will display the puny-code domain in the status bar when hovering over an href:

Safari, for example, can’t display the IDN at all:

safari idn

However, some chat-applications (WhatsApp included at the time of writing) display the link as it was written.

Redirection

The first warning sign something is up – the redirection, or perceived redirection from adidạs.com to the punycode equivalent.

But for a lot of people, particularly those who are not tech-savvy, this small detail may go unnoticed. Particularly if the URL bar is hidden on some mobiles.

So the vector of attack (at least successful attack) relies on the user not noticing the punycode domain it is actually resolved to (or not caring – because they’re excited to receive the promised offer for example)
Or, more likely, them not understanding the correlation between what they click on, and where they end up.

Another technique IDN attacks deploy is a quick redirect to a similar but believable domain name.
In our adidạs.com/shoes example, the attacker could have registered something such as adidas-shoes.gifts
.gifts is a generic top level domain, just like .com .co.uk .org etc…

Now, setting the puny-code domain (xn--adids-m11b.com) to redirect to adidas-shoes.gifts – would create something that looks more realistic – at least to those a little less tech-savvy.

y tho

As I mentioned, in the Adidas example, they were phishing my personal data.
But these sites could quite easily display an official looking login page to that site (capturing your username / password)
Or a ‘buy now’ page – harvesting your credit card details.

The fact they have their victims trust that they are on the legitimate brand site means they are free to essentially do what they want.

I’ve been a customer of GoDaddy for several years.
Recently, I’ve required to use their support service.
Unusually, they don’t offer email support – just phone, or live-chat

On more than one occasion, live-chat has been unavailable, and making a call hasn’t been convenient.
Secondly, live-chat only works with a persistent connection. Working on a train, for example, means you’ll often be cut off from the live-chat service mid-support session.

This is one reason I’ve been moving most of our domains over to Namecheap.
Their support team is always on hand, both chat and email (I much prefer email where possible)
I realise this is personal preference, but having email support much more suits the way I work – not necessarily always connected!

Back in October, I wrote about a domain name appraisal scam. It appears this is still doing the rounds, but has changed wording slightly.

Below is the transcript of messages:

Make no mistake, THIS IS A SCAM

From: [email protected]
Sent: 18 March 2010 07:54
To: Alex James Brown
Subject: ukcabs.net (sent 03/18/10)

 

Hello,

We buy and sell domains and web pr®jects. What is your price for the domain?
If you have other domains for sale feel free to send your list.

Looking forward to do business with you.
Regards,

Maria Coddington
Vice President
Internet Investment Startegies LLC

========================================================
NOTICE – This communication may contain confidential and privileged
information that is for the sole use of the intended recipient. Any
viewing, copying or distribution of, or reliance on this message by
unintended recipients is strictly prohibited. If you have received this
message in error, please notify us immediately by replying to the message
and deleting it from your computer.
========================================================

My reply, short and sweet:

From: Alex James Brown
Sent: 18 March 2010 07:54
To: [email protected]
Subject: Re: ukcabs.net (sent 03/18/10)

 

Looking to sell it for $40,000

Thanks

Alex

 

Now, make no mistake, I know this domain isn’t worth anywhere near $40k, but, to my amazement, a reply!

From: [email protected]
Sent: 18 March 2010 09:31
To: Alex James Brown
Subject: Re: ukcabs.net (sent 03/18/10)

 

Alex,

Can you accept 39,000 USD?

Do you sell domain with a web site or just the name?

Domain without content is ok with me. Web site is not necessary.

Have you had your domain names evaluated in the past? I mean domain
appraisals. Without valuation we cannot be sure in the sale price. It’s very
important for me in terms of reselling too. But we must engage a valuation
company with REAL manual service. So I will only accept valuations from
independent sources I and my partners trust.

To avoid mistakes I asked domain experts about reputable appraisal
companies.

Please check this blog with suggestions from other sellers and buyers:
http://www.domainexplorer.org/Archive/86132905.htm

If, for example, the valuation comes higher you can adjust your asking price
accordingly.  It will be fair. I also hope you can give me 12% – 15%
discount.

After you send me the valuation via email (usually it takes 1-2 days to
obtain it) we’ll continue our negotiations.

What is your preferred payment method:  Escrow.com, International wire
transfer, PayPal.com or something else?

Hope we can come to an agreement fast.

Looking forward to your reply.

Haggled me out of $1000 dollars. Damn.

My reply (sorry for the bad language, but I really do hate scammers)

From: Alex James Brown
Sent: 18 March 2010 09:51
To: [email protected]
Subject: Re: ukcabs.net (sent 03/18/10)

 

yeah, absolutely,

sorry, I meant to say $40, but $39,000 is great! thanks.

yeah, I’ll sure do the appraisal now.

oh wait…

http://www.alexjamesbrown.com/scams/domain-name-appraisal-scam/

Kindly,

Go fuck yourself.

Domain Name Appraisal Scam – NameSaleShop.com

I recently listed a domain for sale – www.ukcabs.net (incidentally, it’s still for sale if anyone is legitimately interested, please feel free to contact me)

It was listed on places like Sedo, I advertised it on twitter and eBay.

On Saturday, 9th May, 2009, I received an email from [email protected] with the subject “ukcabs.net sent (05/09/09)”

Hello,

What is the price of your domain?

We are very interested in it. Good domains are wise investment in the

future. Our company is interested in easy-to-remember domain names.

If you have other domains for sale feel free to send your list.

Looking forward to do business with you.

Regards,

Andrew Weisberg

CEO

OB Real Estate LLC

 

Naturally, I replied a few days later. Initially believing it to be a genuine interest in the domain name.

Hi there,

Apologies for the late reply

I’m interested in offers on the domain, please feel free to send me one.

Regards,

Alex

I didn’t hear anything for a few months, so in September, i resent the above message, and asked if he was still interested in the domain.

Around a week later, I received this reply:

Yes.

As a seller you should provide me with an appraisal first. This is a reasonable practice.

I’ve found not all the appraisals are accurate. So I accept real manual appraisals from trusted sources only.

I don’t trust $14-$20 services. Nobody will do a research for $14. We need a real manual service.

I researched several companies and here are the results:

I wanted to engage AccurateDomains.com as appraiser but looks like this company has very bad reputation Just read this blog http://accuratedomains.blogspot.com/

So I’m not going to accept this fraudulent service.

I also considered www.Afternic.com, but now it’s clear their service is not reliable enough.

Just read this:

http://www.igoldrush.com/links3.htm

"Capsule Review: After lots of complaints, Afternic is no longer a recommended service. We will re-review the service in the near future."

Another complaint

http://www.out-law.com/page-1630

I was told about manual research service from http://www.DomainMart.com. It costs – $200/hour.

Many experienced sellers suggested us http://www.Namesaleshop.com as a trustworth manual service. They charge per name not per hour. We’ve read only positive comments about them. And I have my own positive experience with this company and their support.

 

Just by googling “namesaleshop scam” it brings up plenty of information.

What this guy does, is pretend to be interested in buying the domain, but make you pay €60 to get it appraised by a “reputable” company, which just so happens to be his company.

Then, needless to say, vanishes.