Vulnerability allows attackers to register malicious lookalikes of legitimate web domains

Cybercriminals were able to register malicious generic top-level domains (gTLDs) and subdomains imitating legitimate, prominent sites due to Verisign and several IaaS services allowing the use of specific characters that look very much like Latin letters, according to Matt Hamilton, principal security researcher at Soluble.

register malicious domains

To demonstrate the danger of these policies, he registered 25+ domains that resemble a variety of popular domains by using a mix of Latin and Unicode Latin IPA homoglyph characters.

“This vulnerability is similar to an IDN Homograph attack and presents all the same risks. An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization,” he pointed out.

Some homograph domains had already been registered

During this research he also discovered that, since 2017, more than a dozen homograph domains that imitated prominent financial, internet shopping, technology, and other Fortune 100 sites, have had active HTTPS certificates – meaning: they’ve already been registered.

“There is no legitimate or non-fraudulent justification for this activity (excluding the research I conducted for this responsible disclosure),” Hamilton noted, and posited that this technique was used in highly targeted social-engineering campaigns.

He also discovered that Google, for example, also allows the registration of bucket names that use Unicode Latin IPA Extension homoglyph characters. In fact, it also allows the registration of subdomains which contain mixed-scripts (e.g., Latin and Cyrillic characters), which should also be a no-no.

Mitigation and remediation

Hamilton contacted Verisign (which runs the .com and .net domains) and Google, Amazon, Wasabi and DigitalOcean (IaaS providers) in late 2019 and shared his discovery.

Everyone confirmed the receipt of the responsible disclosure report, but only Amazon and Verisign (so far) did something about the problem.

“Safeguarding the stability, security and resiliency of the critical infrastructure we operate is our top priority. While the underlying issue described by Mr. Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited,” a Verisign spokesperson noted.

“Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.

Amazon changed its S3 bucket name validation policy to prevent registration of bucket names beginning with the punycode prefix “xn--”, preventing the use of these and all other Unicode homoglyphs.

Hamilton also pointed out that any TLD which allows Latin IPA characters is likely affected by this vulnerability, but that the majority of the most popular sites on the internet use gTLDs (namely .com).

He advises users who discover that someone has registered a homograph of one of their domains to submit an abuse report to the appropriate organization.

He has also promised to soon make available a tool that will help organizations generate homographs for their domains and discover whether they’ve been registered in the last few years.

RSAC Launch Pad 2020 participants revealed

Three cybersecurity startups have been selected to participate in the RSAC Launch Pad 2020. The event gives early stage startups a platform to introduce their potentially groundbreaking solutions to high-profile venture capitalists in a Shark Tank-style format, all in front of a live audience at RSA Conference 2020 in San Francisco.

RSAC Launch Pad 2020

On Wednesday, February 26, the three finalists will have five minutes to pitch their ideas to the panel of leading cybersecurity VCs, including Theresia Gouw, founding partner at aCrew Capital, Niloofar Howe, senior operating partner at Energy Impact Partners, and Enrique Salem, partner at Bain Capital, and convince them that their products have strong potential for success. No matter the outcome, the finalists can expect to walk away with invaluable insights to take their businesses to the next level, and potentially secure funding.

The selected companies (in alphabetical order) are:

Dasera

Dasera helps build trust between consumers and companies by enabling safe internal use of sensitive data. Our query analysis engine automatically finds, flags, and rewrites unsafe queries in data warehouses.

Soluble

Soluble makes Kubernetes security simple, providing strong identity, access, certificates, policy, secrets, and more. Using a pay-for-what-you-use pricing model, Soluble offers microproducts built on accepted open source tools, managed by its SaaS-based API control plane.

Zero Networks

Zero Networks automates the creation and enforcement of network access policies for each user and machine in your organization, making it simple to scale and maintain an airtight, up-to-date zero trust model for your entire network.

“The annual innovation programming at RSA Conference has become a catalyst for growth and collaboration for cybersecurity professionals at all stages of their careers. We introduced RSAC Launch Pad last year to help new companies, even earlier stage than those participating in RSAC Innovation Sandbox, propel their amazing ideas forward with guidance from some of the industry’s most respected venture capitalists,” said Linda Gray Martin, Senior Director and General Manager, RSA Conference. “By connecting fresh, creative thinkers with proven industry veterans, our ultimate goal for all the innovation programs at RSA Conference is to accelerate growth and drive lasting impact on our ever-evolving industry and community.”

The finalists were selected from a pool of applicants meeting specific participation requirements, including being incorporated for two years or less, privately held with no profit and having no more than a first round of funding. Their products must not be available for commercial sale to the public on or before RSA Conference 2020 but are expected to be launched by summer 2020.