Fractional Slash Domains
@SighSec and I recently discovered there are more types of homograph symbols you are allowed to use when registering an IDN (Internationalised Domain Name) than expected. These symbols could potentially be used to trick unwary users into following malicious links by making a domain appear as though it were referencing a local file or one on a mapped drive.
This becomes particularly dangerous when using ASCII characters with diacritics and substituting them e.g. twitter.com becomes į¹witter.com. Note the small dot below the first “t” which could easily be misinterpreted as a speck of dust. You can find examples of these on my twitter page mimicking Cryptocurrency sites @ObliviSec.
⦁ com⁄document⁄d⁄frshlmn.ML
⦁ com∕profile∕.ML
Here is the difference:
⁄ - Fractional slash
/ - Regular slash (not allowed in domain names)
This technique could quite easily be used to produce domains names that look like directories. To test this we used a Punycode converter to grab the Punycode form of a fractional slash domain. We put this into DomainTools to see if it looked okay... jobs a good 'un!
⦁ https://whois.domaintools.com/xn--cwindowssystem32-436iha.ml
Interesting, but lets take this one-step further and attempt to disguise the domain using more homographs. We tested quite a number of look-a-likes and the table below notes the symbols that rendered correctly and looked somewhat convincing.
Some sites do block the registration of domains using some of the characters above, though we have not checked this extensively. Freenom seems to let us.
⦁ ‘.com’ – A command file from the 70s
⦁ ‘.ws’ – A windows script file
⦁ ‘.win’ – Appears as though it could be an abbreviation of ‘Windows’
⦁ ‘.ml’ – A file type associated with F#
Consider an email asking a user to run a local script in their own C drive to perform a fake corrective action, dress the email up with spiel and fancy words and they might not think twice about visiting a link that appears to be on their own machine. Below is an example of how this scenario could be used.
Recipients using Outlook will see the rendered hyperlink rather than Punycode... extra phishy!
Background on IDNs
IDN Homograph attacks most recently entered mainstream news back in Q2 2017. It was shown that domains could be registered using regular ASCII characters alongside characters from other languages, a feature used to support domain names for countries with different character sets. This presented an issue as it meant that domains could be registered and characters could be swapped out for their doppelgangers (homographs), allowing anyone to register xn--80ak6aa92e.com which when converted almost certainly looks like apple.com!
Fractional Slash Domains
We detected the use of a fractional slash symbol to produce a domain that could be very confusing for phishing targets.⦁ com⁄document⁄d⁄frshlmn.ML
⦁ com∕profile∕.ML
Here is the difference:
⁄ - Fractional slash
/ - Regular slash (not allowed in domain names)
This technique could quite easily be used to produce domains names that look like directories. To test this we used a Punycode converter to grab the Punycode form of a fractional slash domain. We put this into DomainTools to see if it looked okay... jobs a good 'un!
⦁ https://whois.domaintools.com/xn--cwindowssystem32-436iha.ml
Some sites do block the registration of domains using some of the characters above, though we have not checked this extensively. Freenom seems to let us.
Attack Scenarios
Using domains containing these symbols you trick a user into believing that they are following a link to a local file, though this may require extra effort in the social engineering department. We can use different TLDs to mimic files that a less knowledgeable user may believe to be on their system. To name a few:⦁ ‘.com’ – A command file from the 70s
⦁ ‘.ws’ – A windows script file
⦁ ‘.win’ – Appears as though it could be an abbreviation of ‘Windows’
⦁ ‘.ml’ – A file type associated with F#
Consider an email asking a user to run a local script in their own C drive to perform a fake corrective action, dress the email up with spiel and fancy words and they might not think twice about visiting a link that appears to be on their own machine. Below is an example of how this scenario could be used.
Recipients using Outlook will see the rendered hyperlink rather than Punycode... extra phishy!
