IDN Spoofing

IDN spoofing, or Internationalized Domain Name spoofing, is a deceptive cybersecurity technique in which attackers exploit the similarities between different characters in various languages to create domain names that appear legitimate but lead to malicious websites. 

Here's how it works:

• IDNs: IDNs allow non-Latin characters (like Cyrillic or Chinese) in domain names, making the Internet more accessible to people worldwide. 

• Character similarity: Some characters in different alphabets look almost identical. For example, the Latin letter "a" and the Cyrillic letter "а" are visually indistinguishable to most users. 

• Deceptive domain names: Attackers register domain names that use these similar characters to mimic legitimate websites. For example, they might register "paypal.com" using a Cyrillic "а" instead of a Latin "a". 

• Redirecting users: When users accidentally type the spoofed domain name, they are redirected to the attacker's website, which may look identical to the legitimate site. This can lead to phishing attacks, malware distribution, and data theft.

IDN spoofing is particularly dangerous because it can be difficult for users to distinguish between legitimate and spoofed domain names. This makes it an effective technique for tricking users into entering sensitive information or downloading malware.

Here are some examples of IDN spoofing:

• An attacker registers a domain name that looks like "apple.com" but uses the Cyrillic "о" instead of the Latin "o." 

• An attacker registers a domain name that looks like "microsoft.com" but uses a Greek "ο" instead of a Latin "o". 

IDN spoofing is a growing threat as the use of IDNs increases. It is essential to be aware of the risks and take steps to protect yourself from this type of attack.

ThreatNG helps combat IDN spoofing by providing a comprehensive solution to identify and mitigate this specific type of digital risk. It does this by focusing on external discovery, assessment, and investigation from an attacker's point of view.

External Discovery and Assessment

ThreatNG’s external discovery can perform purely external, unauthenticated discovery, which is essential for identifying malicious domains created through IDN spoofing. The platform’s external assessment capabilities include Brand Damage Susceptibility, which is derived in part from Domain Intelligence, including Domain Name Permutations. This allows ThreatNG to find and evaluate look-alike domains that could be used for IDN spoofing attacks. For example, if a cybercriminal registered a domain using homoglyphs that mimic a legitimate brand, ThreatNG's discovery and assessment would flag this as a potential threat and contribute to the brand damage score.

The BEC & Phishing Susceptibility assessment is also relevant, as IDN spoofing is often a key component of business email compromise (BEC) and phishing campaigns. This assessment uses Domain Intelligence capabilities, such as Domain Name Permutations, to help identify these risks.

Continuous Monitoring and Reporting

ThreatNG's continuous monitoring of external attack surfaces, digital risks, and security ratings is critical for defending against IDN spoofing. It ensures that any newly registered malicious domains are detected promptly, enabling a rapid response before a phishing campaign can cause significant harm.

The solution's reporting capabilities provide actionable insights into these risks. The Security Ratings report, for example, would give an organization a clear grade (A through F) on its security posture, which would be affected by the presence of IDN spoofing domains. The Prioritized Report would highlight these risks as high, medium, low, or informational, helping security teams focus on the most critical threats.

Investigation Modules and Intelligence Repositories

ThreatNG’s Investigation Modules offer the tools to analyze IDN spoofing threats deeply. The Domain Intelligence module is a primary defense, specifically through its DNS Intelligence capabilities. The Domain Name Permutations feature is explicitly designed to detect manipulations of a domain, including homoglyphs, providing mail records and IP addresses for those that are taken. This means ThreatNG can not only identify that an IDN spoofing domain exists but can also provide the technical details necessary to investigate and take action.

For example, if an attacker registers аmazon.com (using the Cyrillic 'а'), ThreatNG's Domain Intelligence would detect this homoglyph and provide the associated IP address and mail records, enabling the organization to confirm it's a fraudulent site.

ThreatNG's Intelligence Repositories (DarCache) also help in combating IDN spoofing. The DarCache Vulnerability repository, for instance, provides a proactive approach to managing external risks by understanding the real-world exploitability of vulnerabilities. This could include vulnerabilities in DNS or web servers that could be exploited to launch phishing campaigns using IDN spoofing.

Complementary Solutions

ThreatNG can work with complementary solutions to bolster defenses against IDN spoofing. For example, the detailed findings from ThreatNG on a malicious IDN spoofing domain could be shared with an email security platform. This platform could use the information to block emails containing links to that malicious domain, preventing phishing attacks from reaching employees' inboxes. The continuous monitoring of ThreatNG would ensure that the email security platform is always up-to-date with new threats.

Another example would be working with a Web Application Firewall (WAF). ThreatNG’s discovery of a subdomain takeover vulnerability could inform the WAF, which could then be configured to block suspicious traffic patterns or requests directed to that specific subdomain. The proactive intelligence from ThreatNG enhances the WAF's effectiveness at a network level.