HTTP spoofing
What is HTTP spoofing?
HTTP spoofing works by deceiving the user, who is lured by an attacker to a malicious domain with a name that visually resembles a legitimate domain. HTTP spoofing is also called HTTPS spoofing or IDN homograph attacks. This technique, considered a type of man-in-the-middle attack (MITM), is often used for phishing attacks.
Note: Despite the name HTTP spoofing or HTTPS spoofing (both are used to describe this type of attack), this attack technique has very little to do with the HTTP/HTTPS protocols and is, in fact, based on a vulnerability in the international domain name system.
What are IDNs?
In the early days of the Internet, domain names and hostnames could only contain ASCII characters. Internationalized domain names (IDNs) were first proposed in 1987 by Martin Dürst and implemented in 1990 by Tan Juay Kwang and Leong Kok Yong under the guidance of Tan Tin Wee. As a standard, ICANN and other organizations adopted a system called Internationalizing Domain Names in Applications (IDNA).
IDNs made it possible to use all Unicode characters in top-level domain (TLD) names as well as subdomains and hostnames. This was an important accessibility improvement for users of many different alphabets and different languages, but it also introduced an unexpected vulnerability: IDN homographs or rather homoglyphs.
What is an IDN homograph/homoglyph?
A homograph is a word that shares the same written form as another word but has a different meaning. An example of an English homograph could be bow, as in the bow of a ship versus a bow used to shoot arrows (not to mention taking a bow). The related term homoglyph means look-alike characters or glyphs with shapes that appear identical or very similar.
An IDN homograph, which should actually be called IDN homoglyph, is a term used to describe two international domain names that look almost the same but are actually made up of completely different characters. This is possible because some letters from non-Latin alphabets, for example, the Greek alphabet, the Cyrillic alphabet, or even the Arabic alphabet, closely resemble letters from the ASCII character set. For example, the Latin letter I (capital i) and the Cyrillic character І look identical (or almost identical, depending on the font used).
How can IDN homoglyphs be used for attacks?
A scammer can use IDN homoglyphs for malicious purposes by registering a domain that includes IDN homoglyphs of a domain that they want to spoof. For example, they could try to register ɡοοɡlе.com. This is, in fact, not google.com – you can use the Unicode lookup web application to check.
After registering the fake domain, the attacker can scam victims, for example, by using phishing techniques, luring them to a fake website made to look and feel exactly like the original one. The attacker can use such website spoofing to capture information entered by the user, such as login credentials or other types of authentication or access control information, sensitive information, phone numbers, etc.
Note that before IDNs were introduced, HTTP spoofing was also theoretically possible but much easier to spot. For example, the attacker could attempt to register the domain goog1e.com and trick the victim into visiting it instead of google.com. This technique is also sometimes called script spoofing and follows the same idea as typosquatting (registering domains with common misspellings).
It is not known who or why originally used the term the homograph attack instead of homoglyph attack, but the incorrect name was adopted by many (as well as similar terms such as homograph domain). The topic became hot after the publication of the article Phishing with Unicode Domains by security researcher Xudong Zheng in 2017.
What is Punycode?
Punycode is a code used to represent Unicode characters as ASCII characters in domain names and hostnames. Since the original domain name system was not designed with Unicode in mind, it would be very difficult to introduce non-8-bit characters in domain names. Instead, all IDNs are actually stored and processed in Punycode form, for example, on DNS servers, and only displayed in their Unicode form for the users.
For example, if you paste ɡοοɡlе.com into your browser, it will first convert it to Punycode (xn--l-r1aa31la42e.com) and only then send that information further. Many applications, such as email clients, will also work the other way around – if they receive content with Punycode, they will recognize it and display it as Unicode.
Example of an HTTP spoofing attack
- The attacker uses the Homoglyph Attack Generator to create a homoglyph of invicti: іnvіϲtі. Note that letters i and ϲ are non-Latin characters that are homoglyphs of i and c.
- The attacker registers the domain with the homoglyphs (using security measures that make it difficult to track it back to them) and builds a website that looks exactly like the original Invicti website by copying the HTML code. They also purchase a TLS/SSL certificate from a legitimate certificate authority for the domain to make it look fully legitimate, even for HTTPS websites.
- You receive a phishing email that looks like it’s coming from invicti.com (the attacker also uses email spoofing techniques), promoting a new interesting security topic on Invicti Learn. You click on the link in the email, which takes you to іnvіϲtі.com (the homoglyph site).
- You see a popup that promises you a revolutionary white paper if you provide Invicti with your personal details. You enter your personal details in the form provided.
- The attacker has now stolen your personal information and can use it for other purposes, such as, potentially, identity theft or unauthorized access (depending on the scope of information that you were tricked into providing in the fake form).
In a full man-in-the-middle scenario, the attacker’s website could also communicate in the background with the original invicti.com website. While the invicti.com webpage is not a very lucrative target for such an attack due to its limited functionality, your online bank’s login page may be. And even a non-lucrative target such as invicti.com could be used, for example, to distribute malware such as botnet clients used for distributed denial-of-service (DDoS) attacks, cryptocurrency miners, or even ransomware.
Non-phishing HTTP spoofing attacks
If the spoofer does not want to resort to phishing and is able to execute a different man-in-the-middle attack, such as ARP spoofing, IP address spoofing, DNS spoofing, or session hijacking, they could use these in conjunction with HTTP spoofing to make the victim visit a fake website with no need for social engineering. Malicious actors could, for example, intercept the routing or the communication between the web browser and web server, and replace a legitimate domain name in an HTTP header with its homoglyph. Even some web vulnerabilities, such as cross-site scripting, could be used in conjunction with HTTP spoofing for an effective attack.
How to detect HTTP spoofing?
- For end-users: Detecting HTTP spoofing at the endpoint is very easy if you use a modern web browser. All you have to do is look at the address bar of the browser after you click a link to make sure the webpage you’re on is a trusted source. While links may be provided, for example, in email content, as IDNs, modern browsers (Google Chrome, Mozilla Firefox, Opera, Microsoft Internet Explorer and Edge, Apple Safari) display them in Punycode. That way, you can immediately see that you are not visiting invicti.com but xn--nvt-rzc64ecc.com.
Unfortunately, such protection does not apply to email clients and content on the web. For example, if a homoglyph is pasted into a web comment or sent via email, it will be displayed to the user in the IDN form and could be used for phishing. Some spam filters, such as those used by Gmail, may be able to spot some types of spoofing attacks, including HTTP spoofing. Known homoglyph attacks could even be detected by some antivirus products. - For domain owners: There is no way at all to detect that you are a victim of HTTP spoofing from the point of view of the domain owner. You would only know if it is reported by your users.
How to prevent HTTP spoofing?
- For end-users: You cannot prevent attackers from sending IDN homographs to you via email or from including them in web content. The only way you can avoid being a victim is by checking the address bar of your web browser to make sure that you are on a legitimate website.
- For domain owners: There is no way to prevent HTTP spoofing if your domain name contains letters that have convincing homoglyphs. While many registrars will manually check domains with IDNs before registration specifically to protect against homograph/homoglyph attacks, there are some registrars who don’t do this, and the attacker can always choose one of them. This means there is no practical way to prevent the creation of a homoglyph domain name and a website that looks just like yours.
How to mitigate HTTP spoofing?
- For end users: Some sources recommend that you use a web-enabled password manager, such as the one built into Google Chrome, or an external one like LastPass, to mitigate HTTP spoofing. Such tools will autocomplete password forms only if the domain in the address bar matches the one on file. This means they won’t automatically fill in the password field if you are visiting a fake domain, which should (in theory) make you look more closely at the address bar. Do keep in mind, though, that online password managers have been known to have vulnerabilities of their own.
- For domain owners: If you believe that your domain is being targeted in an HTTP spoofing attack, your best bet is to warn your users through your usual marketing and communications channels. This will help to mitigate potential consequences, such as users providing sensitive information to cybercriminals or compromising their cybersecurity in some other way and then believing your legitimate site was to blame.
Frequently asked questions
What is HTTP spoofing?
HTTP spoofing relies on tricking users into visiting or trusting a malicious domain by crafting a name that visually resembles a legitimate domain. It is considered a type of man-in-the-middle attack (MITM) but is also often used for phishing attacks.
How dangerous is HTTP spoofing?
HTTP spoofing is not considered very dangerous because most browsers use Punycode to display URLs in the address bar, allowing users to quickly identify attack attempts. Also, for HTTP spoofing to be used in man-in-the-middle attacks, it must be combined with other techniques, such as ARP spoofing, IP spoofing, or DNS cache poisoning.
How to prevent HTTP spoofing attacks?
The best way to prevent HTTP spoofing attacks is to use a modern browser and always look carefully at the address bar. In an HTTP spoofing attack, the address bar of a modern browser will show the spoofed name in Punycode, which will look nothing like the legitimate domain name.
Find out how to prevent other man-in-the-middle attacks (MITM).
Written by: Tomasz Andrzej Nidecki, reviewed by: Zbigniew Banach