session
Fiesta 7
1:40 pm - 2:30 pm, Monday, September 25
Why Spoof, When you Can Own?
Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
About

Session Abstract: Homograph domain attacks seem to come up every few years in security blogs. Replace (INSERT CHARACTER HERE) with a nearly identical, rarely used Unicode character, and voila you have a string that might fool an unsuspecting party. It's like typosquatting, but the difference between the real string and the homoglyph will likely be harder to spot than a misspelling or extra letter. This talk will cover potential attacker use cases, real world examples, limitations of current mitigations, and how organizations can work to actively address this issue.Summary: This talk will cover potential attacker use cases, real world examples, limitations of current mitigations, and how organizations can work to actively address this issue.Additional Information: Outline: 1. What is a homograph? a. Homograph definition b. Examples of ASCII/Unicode homographs 2. How has this been used? a. Domain name spoofing b. Targeted phishing i. As opposed to spoofing, with homographs, the attacker can own the domain get their mail records (SPF, DKIM, DMARC) and certs in order 3. This is old news, is it still relevant? a. Yes, it is very relevant and is still being seen i. Give recent news reports b. Give example of the polish letter ł 4. What about Punycode and other mitigations? a. Punycode works, if it is displayed b. Give example of freepeopłe.com c. Show examples of Punycode not displaying on any browser, mail client, or application it is tested on 5. What are our options moving forward if we can’t rely on Punycode? a. Active mitigations (ideal) i. We can use Punycode patterns (ie “xn—” at the start of a domain) to block connections and communications to those domains where possible ii. Pressure registrars to monitor registration of domains using characters from multiple scripts (ie Latin and Cyrillic) iii. Pressure those making applications to use Punycode where possible or disallow Unicode if possible iv. Pressure takedown/brand protection services to monitor for homograph domains v. End user training/public awareness b. Passive mitigations (more immediate and realistic) i. Monitoring and alerting for communications with and connection to Punycode domains (ie domain containing “xn—“)

Get in touch
Get in touch
Customer Service
For any and all inquiries please click the button below
Speaking Opportunities

Tim Garon
Director, Event Content and Strategy

Stay Informed
Join our mailing list for the latest news on InfoSec World 2023.