The Dangers of Unicode in Domain Spoofing Phishing Attacks

Companies spend millions of dollars every year on IT security solutions such as firewalls, antiviruses, anti-spyware/malware, and email protection software. This year alone, Gartner anticipates businesses worldwide will spend $124 billion on IT security products and services. However, despite the money and people they use, many companies are still not recognizing one of the most significant threats that is right beneath their noses: The use of Unicode domains and Unicode URLs in emails, search results, and chat programs as part of domain spoofing and visual spoofing attacks.

This article will explore what Unicode is, how it affects website domains and URL security, what this means for email security in the age of phishing threats, and how organizations can fight back against a virtually invisible IT security threat for your employees with an anti phishing solution that features an integrated URL security check method.

What is a Unicode Domain or Unicode URL?

According to Unicode.org, the Unicode Standard is the successor of traditional character encodings which were limited in terms of having encodings that represent every letter, number, punctuation, or technical skill in every language. Unicode “provides a unique number for every character, no matter what platform, device, application or language.”

What does Unicode have to do with URL security? A uniform resource locator, or URL, is the complete web address that points to a particular resource on the web. A URL is related to but differs from a web domain, which is the name of the website (apple.com, google.com, clearedin.com). Historically, web domains and URLs needed to be written using only American Standard Code for Information Interchange (ASCII) characters. This is because the original Internet was built in the United States and used only ASCII characters, which represents English language characters such as letters, numbers, punctuation marks, etc. This was beneficial to URL security because it meant that everything was written using the same types of characters and encodings.

However, web standards changed over time as the World Wide Web became internationalized. In 2003, a specification was released that allowed the use of most Unicode characters in domain names to create multilingual web addresses. These Internationalized domain names (IDNs) created new challenges for IT security professionals and organizations worldwide concerning visual spoofing, the practice of using international language characters to make a fake URL visually appear legitimate.

The Impact of Unicode On URL Security

According to ICANN.org, the internationalization of websites aims to increase accessibility:

“Internationalizing the domain names is not done in order for all users across the world to be able to type in all domain names. It is done to ease local communication and accessibility. It is called “internationalization” (and not “localization”) because the Internet and the DNS is a function that needs to work on a global or international level. However, it is the individual user or business choice as to what characters (within the current standard and registry offerings) their domain name should contain.”

The URL security issue here is that malicious users can use Unicode characters to make dangerous websites appear as a safe, authentic website. According to cybersecurity researcher Xudong Zheng, the use of Unicode domains to encode IDNs is particularly troublesome from an IT security standpoint:

“Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as ‘xn–pple-43d.com’, which is equivalent to ‘аpple.com’. It may not be obvious at first glance, but ‘аpple.com’ uses the Cyrillic ‘а’ (U+0430) rather than the ASCII ‘a’ (U+0061). This is known as a homograph attack.”

The Dangers of Domain Spoofing to Businesses

The use of Unicode domains has created an issue for IT security and prevention efforts because it means that malicious users and phishers can register fake domains that look like real website domains. Some web browsers use homographic filters to identify domains containing characters belonging to multiple alphabets. However, according to Zheng, if all of the characters in the domain are replaced with similar characters from a single foreign language, it will cause the homograph protections of several major web browsers — Chrome, Firefox, and Opera — to fail.

Many traditional security certificates can’t protect against homograph attacks. Some hackers even go as far as to register real secure socket layer (SSL) and transport layer security (TLS) certificates for their Unicode domains to establish authority and make them look safe, secure, and legitimate.

How can you protect your employees and customers from email threats they cannot see — especially when they are sent links to websites that even have real security certificates supporting their supposed security and authenticity?

How Clearedin Offers Protection Concerning URL Security

A common practice for phishers is to embed fraudulent links into emails to entice a company’s employees to click on them and either provide information or inadvertently download malware. While some anti phishing software can protect against some phishing threats, many fall short of protecting users from these types of IDNs.

Unlike other anti phishing email and chat solutions, Clearedin analyzes metadata, email addresses, URLs, and more to determine whether anything is being spoofed or seems abnormal. This one-of-a-kind solution enables businesses to stand firm and fight back against phishers who want to lure users into clicking on their cleverly-disguised Unicode domains. It also helps protect users against “typosquatting” URLs — or what is known as URL hijacking.

What is typosquatting? This practice occurs when a malicious user registers a domain that is designed to look legitimate but has a slight, almost unnoticeable alteration to trick users into clicking on it. Unlike Unicode domains, typosquatting relies heavily on users mistyping a URL (such as adding an extra “o” to http://www.google.com to make it http://www.gooogle.com).

Clearedin is about training the machine, not the human. The human eye can fall for the visual spoofing and domain spoofing tricks, but Clearedin's machine learning and artificial intelligence (AI) will not. This intelligent platform ensures that such "lookalike" domains, URLs, and email addresses are caught and flagged immediately. This enhanced form of URL security protects users from threats that are virtually indistinguishable to the naked eye while it also provides information about why the threat was flagged to educate the user.

To learn more about the Clearedin platform and how it works to protect organizations and customers like yours around the world from email and URL security threats, contact our team of cyber security experts now.

New call-to-action

Anti Phishing Solutions in ...

Subscribe for updates

Get weekly updates on phishing and other web attacks