Grab a cup of coffee and sit comfortably on your chair because shit is going to be serious today. Today we are going to learn IDN Homograph Attack and then we will use it to do phishing and….well lets keep the latter one a surprise.
Homographs
There are a lot of languages in the world and everyone wants to type in their own language thats why we have developed different characters for different languages. For example,
Latin: A B C D E F G H I J K L M N O P Q R S T U
Cyrillic: а б в г д е ж з и й к л
Devnagri: ऄ अ आ इ ई उ ऊ ऋ ऌ ऍ
Arabic: ﺵ ﺶ ﺷ ﺸ ﺹ ﺺ ﺻ ﺼ ﺽ
Feeling bored already? Ok here’s a question for you, is this character “а” is same as this one “a“?
No they are not the same. The first “а” is in Cyrillic while second “a” is in Latin. Such characters which have similar appearance are called Homographs. Our eyes may not see a difference between homographs but computers treat them as different characters.
Phishing with IDN Homograph Attack
Someone sends you this link facebokk.com/loot.php and when you open this it asks for your username and password. Will you enter your password? Maybe not because its facebokk.com and not facebook.com. So its clear that its phishing attack.
But today we are going to do phishing. Oh! Do you think phishing is an old technique?
Well I am going to change your thinking today. I will be using IDN Homograph Attack with social engineering to pull off a phishing attack.
Step 1. English is written in Latin script but I am going to buy this domain “fаcebook.com” (The a and o‘s are not in Latin, I have replaced them with Cyrillic characters). So our fаcebook.com is different than the original facebook.com.
I am buying this domain from namecheap.com
punycode attack
Wait…Do you see that weird looking domain name that I have marked? Well its meaning is fаcebook.com but the hosting service converted it to Punycode format. If you enter this punycode domain it will also get changed to fаcebook.com. Just host the website somewhere and move on to the next step.
Step 2. Our website is up and running. Now the only thing we need is a phishing page. No! I am not talking about that old login page thing. We are Ultimates so lets do something creative. Here’s how it looks:
phishing
This page asks for the profile URL of a person whom the victim wants to hack and when the victim clicks that Takeover button he gets the following popup
punycode attack
He has to enter his password to confirm his identity and as soon as he enters the password it gets saved on our server. The captcha form makes it more trust able.
Isn’t it beautiful? Well its time to make it even better.
Step 3. Take a look at these two :
facebook.com
https://www.facebook.com
First one is our fake website while second one is the original Facebook. Facebook and all other major websites use HTTPS instead of HTTP, we need to have it on our website too. To get HTTPS we need to get SSL certificate for our website. For this purpose, I will be using a free SSL certificate from here, its a 90 day trial actually.
Step 4. Finally! Everything is ready and now its time to deliver our fake webpage to our victim. But always keep in mind that “Do not send the phishing link directly.” I talked with the victim (he’s my friend) for nearly 5-7 minutes and then passed the phishing link:
social engeering in phishing
Looks like he is going to fall into the trap….and he did.
hacker got hacked
Damn! The hacker got hacked! #Tango_Down
All I did was to create a phishing page which seems to be a part of facebook and doesn’t require you to enter username and password both. Facebook usually asks for a password to confirm something critical and I did the same so the victim didn’t get alerted.
Well you can use IDN Homograph attack in many ways if you are creative enough. Lets take a look at another example with a different approach.
Infecting Users With Cloned Websites
Kali.org is the official website for the Kali Linux. So I repeated the same steps, purchased the domain and got SSL certificate.
Then I cloned (copied all its pages) kali.org using a program named Httrack and edited some of the webpages to show that a new version of Kali Linux is available. The latest Kali Linux version is Kali Linux Rolling 2017.1. but I edited the cloned pages to show that Kali Linux Rolling 2017.2. is released.
Take a look at the release notes,homograph attack
And I added a backdoored iso image to the available downloads
fake website cloneSo I can give the release notes to someone who likes Kali Linux and they will surely fall into the trap and will download my malicious Kali Linux image which will give full control of his system to me.
You see? Homograph attacks can be used in many ways.
Now I am going to end this article right here. I hope you enjoyed it and learned something new.
Keep Learning! Keep Homographing! Keep Hacking!