Video Screencast Help
Security Response

Spoofing Around the URLs

Created: 02 Sep 2009 19:41:32 GMT • Updated: 23 Jan 2014 18:32:51 GMT
Samir_Patil's picture
+1 1 Vote
Login to vote

In an attempt to conceal spam messages from anti-spam filters, spammers employ various tactics of ill intent. And for that purpose, spammers use obfuscation and/or spoofing techniques, the misuse of brand names, and many other tactics that make it difficult for content filtering to identify the spam message.

Recently, Symantec observed a spam attack in which homograph spoofing was used so that the spoofed domain name partially or completely resembles the reputable brand domain name. However, before discussing this trend we will first introduce you to terms that may be unfamiliar, such as IDN, Punycode, and homograph spoofing.

IDN

An internationalized domain name (IDN) is a domain name that contains one or more non-ASCII characters. Such domain names could contain characters from non-Latin scripts such as Arabic, Chinese, or Devnagari.

Example:
The domain “ёxample.com” uses “ё”, which is a Cyrillic character.

Punycode

Punycode is syntax designed for encoding IDNs in applications such that these types of domain names (or their non-ASCII parts) may be represented in the ASCII character set. Using Punycode, non-ASCII characters are converted into the ASCII character set. This provides unique and reversible identification of the domain. Punycode converted names are prefixed with “xn--”.

Example:
Punycode for ёxample.com is http://www.xn--xample-ouf.com/

Homograph Spoofing

This is spoofing of characters by exploiting the fact that in multilingual computer systems, many different characters may have nearly (or wholly) indistinguishable glyphs.

Example:
The domain “ёxample.com” (Russian) nearly resembles to example.com (Latin)

In the below MMF spam example, a spammer is offering free money-making kits. A URL is provided in the message, which directs users to a registration form where a user’s personal information is gathered.

When analyzed closely, we found that the domain in the URL is scripted using IDN. This spoofed domain resembles google.com. The URL and Punycode are as shown in the below image:

imagebrowser image

imagebrowser image

The below table shows various possible spoofed variants of the domain google.com. Many of them closely resemble its Latin counterpart.

imagebrowser image

This is not the first time that spammers have lured recipients into traps by hiding behind legitimate brands. However, users can avoid falling victim to spoofed URLs by looking at the actual URL in the status bar or typing in the URL manually. Taking some time to do a little research can save your personal information from being jeopardized.