IDN Homographs Increasingly Used To Commit Phishing And Other Malicious Activities: Farsight

Internationalised Domain Name homographs, or lookalike domain names, which are easy to register and often undetected by traditional security solutions, are increasingly being used to commit phishing and other malicious activities a report released this week by Farsight Security has found. Unsurprisingly .com, where most global brands register their domain names, was found the TLD with the most problems, accounting for over half of the IDN homographs.

The report, “Global Internationalized Domain Name (IDN) Homograph Report, Q2 2018”, examines the prevalence and distribution of these IDN lookalike domain names, or homographs, over a 12-month period with a focus on 466 top global brands across 11 vertical sectors ranging from banking to retail to technology. The research discovered the potential risk posed by IDN homographs is significant and growing. In fact, Farsight observed nearly 100 million total IDN resolutions, including 27.7 million unique Fully Qualified Domain Names (FQDNs).

Just as the Domain Name System (DNS) enables the vast majority of online transactions, IDNs enable a multilingual Internet by allowing Internet users to register and use domain names in almost any written language.

“Farsight is committed to making the Internet a safer place for online transactions for all users. As part of this commitment, Farsight regularly conducts research to reveal possible unknown security risks. IDN homographs are largely undetected – as a result, bad guys can abuse these key DNS assets,” said Dr. Paul Vixie, CEO, Chairman and Cofounder of Farsight Security. “Our research proves that it is critical that organizations identify and manage potential risks to their brands, including IDN homographs.”

As part of the research, Farsight evaluated a cross-section of sectors including: banking, credit and loans, insurance, financial management, ecommerce, clothing retailers, jewellery retailers, luxury retailers, cryptocurrency exchanges, and technology firms.

Key findings of the “Global Internationalized Domain Name (IDN) Homograph Report, Q2 2018” include:

  • Brands in banking and other related sectors are frequently imitated using IDN homographs with ~750 unique resolutions per month;
  • 91% of IDN homographs offered some sort of webpage;
  • The research found clear violations of the ICANN Guidelines for the Implementation of Internationalized Domain Names;
  • 66% of all IDN homograph IP addresses were found to be geolocated in the United States; and
  • 93% of IDN homograph FQDNs had IPv4-based address records.

In their report, Farsight found 797 unique top level domains represented among the 26.7 million IDNs. The TLD with the most IDNs was .рф, the Cyrillic country code top level domain for the Russian Federation, while that of third rank (.ru) is the ccTLD Latin equivalent for the Russian Federation, and sixth (.рус) is a Cyrillic gTLD that transliterates to “rus” (as in “Russian”). 10,130,898 of the IDNs (38% of all observed IDNs for that time period) were registered against a Russian-language TLD. The .net TLD came in second while .com was fourth, .xyz was fifth and Germany’s ccTLD, .de, was seventh.

However looking at the TLDs with the most IDN homographs, the majority originate from .com, with a total of 4,339 observations or 54% of the total IDN homograph space. This is what Farsight expected as most top global brands are registered in the .com space, so anything attempting to mimic one of these brands would camouflage itself best by also residing in the same TLD. Even the secondly most heavily trafficked IDN homograph TLD, .ru, is only seen 1,397 times – or just under 17% of the total space.