Lookalike Domain Names Yet Another Browser Scam
A security firm says efforts to make the Internet truly global could make scams easier. It also says a program for registering domain names in numerous languages can be abused for scam purposes.
The issue involves the Internationalized Domain Name (IDN) system. This builds on the original Domain Name System (DNS) that helps 'translate' a web site name (such as www.infopackets.com) into an IP address. These numbers then identify the location of the server, which then allows communication between the server and client machines (such as a web browser) to take place.
The basic Domain Name System only includes 26 letters in the Latin alphabet that are used for languages such as English, along with some basic variations such as accented letters used in European languages. That means it doesn't work well with languages that use other alphabets.
The Internationalized Domain Name system gets around this by allowing for new top level domains that work in the same way as those used for specific countries (for example, the .ca domain is used for many Canadian websites). These new top level domains will have their own rules for which letters and symbols can be used in website addresses seen by the public.
Addresses Near Identical
Farsight Security says this creates a problem. In some cases, a character in a non-Latin alphabet will be remarkably similar to one in the Latin alphabet. The difference can be as small as a tiny mark besides an otherwise identical character. The company has coined the term "homograph" for such situations. (Source: globenewswire.com)
For example, the letter o with umlaut (ö) appears in the German alphabet and looks similar to the letter "o" used in the Latin alphabet. This means it's possible to register a website that has a domain name that looks almost identical to one in the Latin alphabet that's used for a recognizable brand name. It can be particularly different to spot on a small phone screen.
This could make it easier to trick people into clicking on a link that they thought pointed to a legitimate recognized website but was actually a scam. Users could then be fooled into typing in login details or other security information.
27 Percent Of Sites Could Be Scams
Farsight says it examined 100 million domain names created under the Internationalized Domain Name system and believed 27 percent of them may have been registered for scam purposes. (Source: bbc.co.uk)
One limitation to such scams is that although the main part of the website address will appear to be the recognizable name, the suffix of the domain will not contain the ".com," but rather an alternative top level domain (TLD).
Top level domains typically designate the category of website; .com is used for "commercial" websites, and ".net" are used for "networking" websites, though the two have been used interchangeably. As of April 2018, there are 1543 variations of top level domains.
What's Your Opinion?
Are such scams inevitable? Is it a price worth paying for opening up the web to a wider range of languages? Should browsers warn when you visit a website with a non-Latin alphabet address?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
Browser security needs to be ramped up
This type of scam can be difficult to spot unless your eyesight is keen. That said, web browsers could be programmed to "spot" the difference by comparing UTF characters with similar ASCII variances in the domain name. UTF characters are used with non-Latin alphabets, whereas ASCII contains mostly Latin. I have had to deal with interchanging UTF and ASCII characters with programs I've written for web servers, and it is a real pain to deal with, but it is certainly possible.
What About HTTPS?
Hi Dennis,
I like your idea of getting the browser to keep track of this.
What about HTTPS? wouldn't that be a tip that the bad site is not legit?
HTTPS won't matter
HTTPS, if enabled, only ensures that the page you're viewing is secure (using an SSL certificate). The purpose of HTTPS is so that (a) you can verify that the site you're connected to in fact has a secure certificate, and (b) most importantly, third parties cannot intercept the viewing of the page as it is transmitted to your web browser and vice versa. HTTPS does nothing to prevent website forgeries, such as phishing scams described in the article.
It is possible for scam websites to incorporate HTTPS using a certificate just like any other website. The certificates don't cost that much, but there is some technical know-how to set it up. That said, I would think the majority of scam sites would not bother with this due to the extra cost and deployment.
Wasn't IPv6 supposed to fix all this?
I thought that IPv6 was supposed to fix problems like this. Every device, every node and every user would have a unique IP address, making it easy to verify the sender. Even spoofed IP addresses could be quickly detected.
IPv6 provides 340,282,366,920,938,463,463,374,607,431,768,211,456 unique IP addresses. Or looked at it in another way, that would provide 39,614,081,257,132,168,796,771,975,168 IP addresses for every person on earth. It makes the mere 40 IP addresses on my local net look really tiny.
Why is IPv6 implementation taking so long?
IPv6 has nothing to do with it
26 letters
The internet was designed to use 26 letters. Opening it up to additional letters borders on lunacy. Sadly, the super smart people can also be super short-sighted.
Validating characters in Domain Names is a logical next step
Great Idea.
Sure, I am a native English speaker. The 26 char of the "latin" alphabet is my comfort zone. But the same point can be made for speakers of any language. I don't look for umlat's and other "freaky" stuff. It is easy to miss. ESPECIALLY when we have to deal with shortened domain names and browser address windows that don't / can't show the whole domain address at once. And teeny tiny 7 inch or smaller phone and tablet screens make it that much easier to sneak these characters past users without some sort of automated watch dog.
Our computers are insanely powerful compared the 8086/286 and 386 computers that first built the internet. Look at your task manager. These days, a computer being used for web surfing is 99.99% idle. So throwing some program logic to burn a few CPU cycles to validate domain names makes total sense to me.
Spitballing, how about running a check on the characters in domain name against the characters that are native to the base language the computer is running on. If it finds any foreign characters there needs to be a warning. Especially in TLDs, but almost as important in the rest of the name.
I can also see a context sensitive component. If the user types a non-native character, that is probably safe. A web link with a non-native character is suspect. An IP address that resolves to non-native character, that is suspect.
Adding this sort of feature to our browsers makes perfect sense. It is a natural enhancement to have the browser inform us about suspect characters in a domain name. It is much the same as the "green lock" icon being displayed for a properly formatted HTTPS connection. Heck, it could even be wired in to that mechanism.
Automation can only do so much to protect us. Let's make that automation work for us. The final, informed, decision has to be made by educated users.
This URL problem will increase. Could browser plugins fix it?
This 'essentially identical-looking characters in a URL' problem will increase, and definitely needs to be protected against.
Could a browser plug-in fix this problem prior to the browser companies fixing it?
- Hal Lane