IDN Spoofing: amazn.com NOT really amazon.com - looks exactly the same!

[Domagon]

I've seen examples of IDN spoofing in the past, but this one really threw me for a loop ... it appears EXACTLY the same!

xn--amazn-mye.com is currently listed for sale on TheOutbidder.com

http://www.theoutbidder.com/cgi-bin/ViewItem.cgi?ID=1106687048&Lang=English

And it appears to be valid punycode...

http://mct.verisign-grs.com/conversiontool/convertServlet?input=xn--amazn-mye&type=PUNYCODE

If this is the future of IDNs, computer security problems are about to get much, much worse - how is the average (heck, even I couldn't tell the difference) supposed to know if a link is real or not - which ones below are the real amazon.com?

http://amazоn.com
http://amazon.com
http://amazon.com
http://amazоn.com

(answer: the 2nd and 3rd)

Some web browser may render the letters slightly different, but MSIE on my computer sure isn't - all 4 appear identical, but they're not - the 1st and 4th in the list don't work (try clicking them!) ... because they're spoofed!

Similar/identical looking IDNs are a timebomb few folks are talking about ... and that's a shame because as people lose trust in the internet, they'll go elsewhere - and that hurts many people, including us folks here - domains become much less valueable if they can no longer be trusted; likely to be less relied upon by consumers, business, etc.

Ron

p.s. below is the whois info for the spoofed amazоn.com IDN:

Domain Name: xn--amazn-mye.com
Registrar: Spot Domain LLC

Expiration Date: 2006-01-09 00:19:19
Creation Date: 2005-01-08 22:20:46

Name Servers:
ns1.domainsite.com
ns2.domainsite.com
ns3.domainsite.com
ns4.domainsite.com

REGISTRANT CONTACT INFO
Mohawk River Technologies, Inc.
Eric Padua
160 Bunker Hill Rd
Mayfield, NY 12117
US
Phone: 5188637030
Phone Code: 1 United States
Fax:
Email Address: [email protected]

ADMINISTRATIVE CONTACT INFO
Mohawk River Technologies, Inc.
Eric Padua
160 Bunker Hill Rd
Mayfield, NY 12117
US
Phone: 5188637030
Phone Code: 1 United States
Fax:
Email Address: [email protected]

TECHNICAL CONTACT INFO
Mohawk River Technologies, Inc.
Eric Padua
160 Bunker Hill Rd
Mayfield, NY 12117
US
Phone: 5188637030
Phone Code: 1 United States
Fax:
Email Address: [email protected]

BILLING CONTACT INFO
Mohawk River Technologies, Inc.
Eric Padua
160 Bunker Hill Rd
Mayfield, NY 12117
US
Phone: 5188637030
Phone Code: 1 United States
Fax:
Email Address: [email protected]

 

[fischermx]

I've just clicked the four.
2 goes to real amazon.
2 goes to a "for sale" page.

Spoooooooky !!

I'm using Netscape 7 and they all seems identical here.

 

[rawkinrich]

This is the downside of IDN's - I've said it before.

 

[scorpio]

Wow they look all so same...

Really a big security problem .. say some bank site done like that. or for us domain registrar site..

What can one do to be secure in this case..

 

[Domagon]

The spoofed links actually resolve in Firefox - one of those rare times in which MSIE is more secure - at least for the moment; eventually IDNs will likely be universally supported by all browsers.

Ron

 

[GiantDomains]

The spoofed links actually resolve in Firefox -
Ron

Not for me, I get the for sale page. And on the spoofed ones, the "o" in Amazon is smaller in the browser window (FF).

 

[Domagon]

While Slashdot.org rejected my submission about the amazon.com IDN spoof, they did run the following artical today regarding IDN spoofing ...

http://it.slashdot.org/article.pl?sid=05/02/07/1323206&tid=172&tid=113&tid=154&tid=95&tid=1

IDN spoofing isn't totally new, but is now becoming better known as IDN is been more widely implemented in web browsers; ironically, the default MSIE install is more secure - doesn't support IDNs while Firefox (there's a bug in Firefox that prevents IDNs from being totally disabled) and other browsers do.

Phishing is about to go from bad to worse ... and the consequences could be devestating for domain name speculators - the value of domains could be greatly affected, likely for the worse, if the IDN problem isn't quickly solved - if people lose trust in domain names, what does one think that will do to domain values ...

The IDN spoofing problem needs to be more publicized so as to encourage real fixes now before it's too late...

Ron

 

[DaddyHalbucks]

MSIE renders them all IDENTICAL.

WOW, this is a HUGE security issue!!!

H U G E !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ICANN should look at this!!

 

[Domagon]

ICANN is aware of it, but unless more folks make a stink about it by spreading the word about this threat, ICANN is likely not going to do much of anything.

Key is to spread the word - and point folks to this thread - when people see examples of IDN spoofing, such as I posted, then it becomes clear to them how much of a threat the current *implementation* of IDNs is to security.

Ron

 

[mole]

Key is to spread the word - and point folks to this thread - when people see examples of IDN spoofing, such as I posted, then it becomes clear to them how much of a threat the current *implementation* of IDNs is to security.

I agree the need to address such issues is huge as more companies take transactions online. The people who face to suffer most now are the big online companies. They will no doubt be on the case where this is concerned.

As for ICANN, I wonder if they are more concerned with allowing IDNs because of the extra revenue it can squeeze out for registrars or security per se. This is a difficult one.

 

[Domagon]

Registrars may lose out this time around ... companies, etc will quickly find that trying to register all spoofable variations of their domains is a futile effort:

Below illustrates better what I mean ...
(combinations - 1) x $7 USD per domain

amazon.com = 588 combinations with IDNs ... cost $4109 USD per year

dnforum.com = 60 combinations with IDNs ... $413 USD per year

ebay.com = 210 combinations with IDNs ... $1463 USD per year

google.com = 180 combinations with IDNs ... $1253 USD per year

yahoo.com = 756 combinations with IDNs ... $5285 USD per year

And one of my domains tops them all with 3920 combinations with IDNs; only 8 characters in length. One of those times in which pursuing legal action as needed is likely much cheaper than trying to register the other 3919 domains upfront at a whopping $27,433 USD per year!

And keep in mind my numbers are based only on the characters in one character set ... see url below:

http://www.blooberry.com/indexdot/html/tagpages/entities/charentity224-255.htm

Other character sets exist, some of which also contain similar, and even identical looking characters.

The upshot is that the dollar amounts in the above examples, while they appear to be manageable for some companies, *are actually MUCH higher* when other character sets are figured into the calculations I made above ... thus the actual cost to, for example Amazon.com, to protect all spoofable IDN combinations is likely upwards of 100 to 1000+ times more ... ie. Amazon.com could potentially have to spend Millions of Dollars $USD per year!

Even a large company like Amazon.com will not tolerate the expense of many millions just to register IDNs and thus there will likely be a collective backlash against all use of IDNs unless ICANN acts quickly ...

And that backlash could likely include filtering of all punycode domains by ISPs, corporate networks, email programs, etc ... such filtering is a cinch to implement, since all IDNs in .COM (possibly other TLDs too) start with the characters "xn--"

Ron

 

[mikesherov]

seems like a simple fix to me.... have a browser with 2 address bars on top of each other... the top one shows the spoofable address, the bottom shows the punycode.

However, until this is implemented, I agree that IDN's are a real danger.

 

[Pleski]

I am on firefox and I can tell the difference. In the spoffed domains, the "O" looks darker. Howerver, this is a real problem because you can't tell the difference in the address bar. Paypal scammers will be a much larger problem.

 

[jberryhill]

http://www.icann.org/meetings/mardelplata/captioning-public-forum-2-07apr05.htm
[John Klensin]
BASICALLY, FOR THOSE OF YOU WHO HAVEN'T NOTICED, A NUMBER OF ISSUES WHICH ARE IDENTIFIED TO ICANN AND BY ICANN SEVERAL YEARS AGO HAVE NOW SURFACED AND GOTTEN A GREAT DEAL OF ATTENTION.
WE'RE SEEING ISSUES ABOUT LOOKALIKE CHARACTERS IN DIFFERENT SCRIPTS. THERE WAS A GREAT DEAL OF FUSS ABOUT A DOMAIN THAT LOOKED LIKE PAYPAL.COM BUT HAD A LOT OF CYRILLIC CHARACTERS IN IT. AND THIS PARTICULAR SPOOFING ATTACK WHICH COULD BE USED FOR PHISHING OR PHARMING ACTIVITIES NOT ONLY CAME WITH A DOMAIN NAME REGISTRATION BUT ALSO AN SSL CERTIFICATE WHICH --

>>VINT CERF: JOHN, IF I COULD INTERRUPT YOU FOR ONE MOMENT.
THE TERMS PHISHING AND PHARMING IF THEY ARE BEING TRANSLATED MAY WELL BE TRANSLATED INTO THE AGRICULTURAL ACTIVITIES THEY SOUND LIKE. WOULD YOU BE SO KIND AS TO BE QUITE CLEAR ABOUT WHAT THEY MEAN IN THIS CONTEXT.

>>JOHN KLENSIN: YES. THESE TWO TERMS, APPROPRIATELY SPELLED WITH A P-H RATHER THAN "F," INVOLVE USE OF METHODS OFTEN BASED ON SPAM E-MAIL OR TRICK WEB PAGES TO CONFUSE PEOPLE INTO BELIEVING THAT THEY'RE LOOKING AT SOMETHING DIFFERENT FROM WHAT THEY'RE LOOKING AT ACTUALLY, USUALLY AS A MEANS OF IDENTITY THEFT.
THE MOST COMMON ATTACKS HAVE INVOLVED PAGES WHICH LOOK LIKE PAGES BELONGING TO BANKS, OR OTHER FINANCIAL INSTITUTIONS, ASKING PEOPLE TO REVERIFY THEIR INFORMATION OR CREDENTIALS AND IN THE PROCESS ASKING FOR CREDIT CARD NUMBERS, PINS, NATIONAL IDENTITY NUMBERS AND OTHER THINGS WHICH CAN THEN BE USED IN IDENTITY THEFT ATTACKS.
THIS IS IMPORTANT BOTH IN THE -- THIS IS IMPORTANT WITH AND WITHOUT IDNS, AND WITH AND WITHOUT OTHER DNS TRICKS, INCLUDING SOME OF THOSE THAT HAVE BEEN TALKED ABOUT IN CONNECTION WITH DNSSEC.
BUT THE IDN ISSUE IS THAT WHILE THE PROBLEMS ARE NOT NEW, THE NUMBER OF OPPORTUNITIES HAVE VASTLY INCREASED AS WE ADD TO THE NUMBER OF CHARACTERS WHICH HAVE BEEN USED IN DOMAIN NAMES.
HAVING SEEN THE PARTICULAR GROUP OF PROBLEMS ASSOCIATED WITH INTERMIXING CYRILLIC AND ROMAN SCRIPTS, THE BROWSER VENDORS SUDDENLY DISCOVERED THAT WHEN WE'VE BEEN LOOKING AT INTERNATIONALIZED DOMAIN NAMES, WE'VE BEEN AVOIDING URLS.
AND IT TURNS THOUGHT USERS DON'T, IN GENERAL, USE DOMAIN NAMES; THEY USE E-MAIL ADDRESSES, WHICH CONTAIN DOMAIN NAMES AND SOME OTHER THINGS, AND THEY USE URLS, WHICH CONTAIN DOMAIN NAMES AND SOME OTHER THINGS.
AND A SECOND ATTACK HAS BEEN DEMONSTRATED WHICH INVOLVES A CHARACTER WHICH LOOKS LIKE A SLASH.
AND IF YOU HAVE A CHARACTER WHICH LOOKS LIKE A SLASH AND ISN'T, THEN YOU CAN CONSTRUCT A URL THAT CONTAINS SOMETHING WHICH LOOKS LIKE A DOMAIN NAME IN SOME FAMILIAR DOMAIN BUT IS ACTUALLY A DOMAIN NAME SOMEWHERE ELSE WHICH DOESN'T LOOK AT ALL LIKE THE DOMAIN NAME INVOLVED AND, AGAIN, CAN MISLEAD PEOPLE INTO GOING INTO STRANGE PLACES AND WHICH THEY WOULD NOT DO IF THEY KNEW WHO THEY WERE ACTUALLY TALKING WITH.
WE'VE ALSO DISCOVERED, AGAIN -- REDISCOVERED WOULD BE MORE APPROPRIATE -- THE FACT THAT THE EXCHANGE OF DOMAIN NAMES AND URLS IN RADICALLY DIFFERENT SCRIPTS AMONG PEOPLE WHO USE OR UNDERSTAND ONE OF THOSE SCRIPTS AND PEOPLE WHO USE OR UNDERSTAND SOME OTHERS BUT NOT THAT ONE IS A MUCH MORE DIFFICULT PROBLEM THAN MANY OF THE ADVOCATES OF IDNS HAD UNDERSTOOD OR ACKNOWLEDGED.
IT'S AN ISSUE.
WE'LL EXPLORE THAT MORE IN THE FUTURE.
BUT AS I SAY, THESE ARE RESURFACING OF PROBLEMS WE'VE IDENTIFIED BEFORE.
WE PROBABLY STILL HAVEN'T IDENTIFIED ALL THE ISSUES.
IT'S CLEAR THAT WE NEED TO PROCEED AS SWIFTLY AS POSSIBLE WITH IDN DEPLOYMENT, BUT THAT AS SWIFTLY AS POSSIBLE REQUIRES THAT WE EXERT CAUTION, INTELLIGENCE, AND CONCERN FOR THE USERS AND THE REGISTRANTS.
WE'VE HAD SOME REACTIONS.
WE'VE HAD SOME VERY STRONG REACTIONS FROM THE COMMUNITY AND FROM THE PRESS, AND WE'VE HAD SOME VERY STRONG REACTIONS FROM THE BROWSER VENDORS.
ONE BROWSER VENDOR, WHO WILL GO UNNAMED, IMMEDIATELY ISSUED A PRESS STATEMENT WHICH SAID, "WELL, THE REASON WHY WE HAVEN'T IMPLEMENTED IDNS IS TO PROTECT ALL OUR USERS BECAUSE. AND YOU'LL NOTICE THAT WE HAVEN'T BEEN VICTIMS OF THIS ATTACK IS BECAUSE WE DIDN'T SUPPORT THIS FACILITY.
THIS IS BAD NEWS FOR RAPID IDN DEPLOYMENT.
SEVERAL OTHERS SAID IF IDNS IMPOSE THESE RISKS, UNTIL A BETTER STRATEGY CAN BE DEVISED, WE WILL SIMPLY AVOID PRESENTING CHARACTERS OUT OF IDNS IN NATIVE SCRIPTS AND START PRESENTING THEM ONLY IN THE INTERNAL ENCODER.
THAT STRATEGY HAS EVOLVED NOTIONS ABOUT BLACK LISTS AND WHITE LISTS OF DOMAINS WHICH ARE BEING, IN THE JUDGMENT OF THE BROWSER VENDORS, CAREFUL ENOUGH ABOUT PROTECTING AGAINST NAMES WHICH LOOK THE SAME AND PROTECTING AGAINST NAMES WHICH ARE DANGEROUS IN OTHER WAYS.
IT'S VERY CLEAR FROM THE BROWSER VENDOR SIDE OF THE COMMUNITY THAT THE USERS WILL BE PROTECTED AGAINST IDN-BASED ATTACKS; AND IF THEY CAN'T PROTECT THE USERS EFFECTIVELY IN ANY OTHER WAY, THERE WILL BE NO IDNS.
ICANN, THE IETF, AND THE APPLICATIONS DEVELOPER COMMUNITIES ARE GOING TO NEED TO WORK TOGETHER FOR A SATISFACTORY SOLUTION WHICH REALLY PERMITS IDNS TO BE DEPLOYED IN AN EFFECTIVE WAY AND USABLE BY THE END USERS.
REGISTERING THESE THINGS IS OF NO USE IF THE USERS CAN'T SEE THEM.
IT'S GOING TO BE PARTICULARLY CRITICAL THAT WE HAVE REGISTRY ACTION TO PROTECT AGAINST SEPARATE REGISTRATIONS OF LOOK-ALIKE NAMES.
SO WE'VE GOT SEVERAL SEPARATE THINGS GOING ON RIGHT NOW.