EvilURL: IDN Homograph Attack

Greetings all,

Today a brief introduction on a form of spoofing attack also known as IDN homograph attack. IDN stands for an internationalized domain name.

How it works?:

ASCII has several characters or pairs of characters that look alike and are known as homographs (or homoglyphs). Spoofing attacks based on these similarities are known as homograph spoofing attacks. For example, 0 (the number) and O (the letter), “l” lowercase L, and “I” uppercase “i”.

In a typical example of a hypothetical attack, someone could register a domain name that appears almost identical to an existing domain but goes somewhere else. For example, the domain “rnicrosoft.com” begins with “r” and “n”, not “m”.

Other examples are G00GLE.COM which looks much like GOOGLE.COM in some fonts. Using a mix of uppercase and lowercase characters, googIe.com (capital i, not small L) looks much like google.com in some fonts.

PayPal was a target of a phishing scam exploiting this, using the domain PayPaI.com. In certain narrow-spaced fonts such as Tahoma (the default in the address bar in Windows XP), placing a c in front of a j, l or i will produce homoglyphs such as cl cj ci (d g a). – Read More

The objective of creating an EvilURL is to fool your victim into clicking the malicious link that looks like the intended target but leads elsewhere. Basically useful for phishing scenarios.

To demonstrate this i am going to use a python script called EVILURL.

Lets Begin:

1) First load up a terminal ad type : git clone https://github.com/UndeadSec/EvilURL

2) Next make your way into the newly created folder by typing : cd EvilURL.

3) Type : ls to list available files.

4) Next we need to change mode to make the file executable, type chmod +x evilurl.py.

5) To execute this python script, you will need python3. Type : python3 evilurl.py

6) Now lets take a deeper look at what is an IDN homograph attack, to do this we are going to create a scenario.

7) In this scenario, i have created a fake facebook phishing site but my victim is too smart to fall for random urls. So my next issue will be creating a domain name as trustworthy as possible for the hack to succeed. And thats where EvilURL.py comes in. Lets take a look at the script and use facebook as an example.

8) I am going to choose option 1 to generate evil urls.

9) Insert name : facebook

10) Insert level domain : .com

and press enter…

11) As you can see all the newly created evil urls.

12) So you might wonder whats the big deal? Where is the phishing part? Ok lets copy one of the evil url from the terminal and attempt to paste it in our browser.


13) Take a look at the real URL that is being revealed.

eg: http://xn-fbk-qzc85c5a5da.com

14) In other words, the Char replaced: a, c, e, o, with Cyrillic Small Letter A, Greek Lunate Sigma Symbol, Cyrillic Small Letter Ie, Cyrillic Small Letter O.

So basically the evil url facebook.com = http://xn-fbk-qzc85c5a5da.com

15) Lets try another evil Url.

16) In the image above, the char c was replaced with Greek Lunate Sigma Symbol. So though to the simple eyes it shows as facebook.com, it actually is http://xn-facebook-6pf.com.

17) So you might be wondering so what? What do we do with all these evil URLs.

18) Ok so this is what happens. Since facebook.com is a registered domain and i will never be able to get my hands on it.

a) Use EvilURL to create fake facebook sites.

b) Register domain name : xn-fbk-qzc85c5a5da.com

c) Place malicious link or phishing site on that domain.

d) Give your victim a message but instead of xn-fbk-qzc85c5a5da.com, give him the evilURL :fаϲеbооk.com

19) To your victim eyes they will see facebook.com but in reality it is a char replaced version of facebook that leads to http://xn-fbk-qzc85c5a5da.com.

20) So basically what you do with these URLS are up to your imagination. It is mostly used for phishing.

21) So now lets take at the other function 2, detect evil urls.

22) I am goig to select option 1.

23) I am going to key in one of the evilurls we derived earlier.

24) And as the image shows below, Evil Url Detected.

Hope that helps.

James Messiah