🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
HTTP spoofing works by deceiving the user, who is lured by an attacker to a malicious domain with a name that visually resembles a legitimate domain. HTTP spoofing is also called HTTPS spoofing or IDN homograph attacks. This technique, considered a type of man-in-the-middle attack (MITM), is often used for phishing attacks.
Note: Despite the name HTTP spoofing or HTTPS spoofing (both are used to describe this type of attack), this attack technique has very little to do with the HTTP/HTTPS protocols and is, in fact, based on a vulnerability in the international domain name system.
In the early days of the Internet, domain names and hostnames could only contain ASCII characters. Internationalized domain names (IDNs) were first proposed in 1987 by Martin Dürst and implemented in 1990 by Tan Juay Kwang and Leong Kok Yong under the guidance of Tan Tin Wee. As a standard, ICANN and other organizations adopted a system called Internationalizing Domain Names in Applications (IDNA).
IDNs made it possible to use all Unicode characters in top-level domain (TLD) names as well as subdomains and hostnames. This was an important accessibility improvement for users of many different alphabets and different languages, but it also introduced an unexpected vulnerability: IDN homographs or rather homoglyphs.
A homograph is a word that shares the same written form as another word but has a different meaning. An example of an English homograph could be bow, as in the bow of a ship versus a bow used to shoot arrows (not to mention taking a bow). The related term homoglyph means look-alike characters or glyphs with shapes that appear identical or very similar.
An IDN homograph, which should actually be called IDN homoglyph, is a term used to describe two international domain names that look almost the same but are actually made up of completely different characters. This is possible because some letters from non-Latin alphabets, for example, the Greek alphabet, the Cyrillic alphabet, or even the Arabic alphabet, closely resemble letters from the ASCII character set. For example, the Latin letter I (capital i) and the Cyrillic character І look identical (or almost identical, depending on the font used).
A scammer can use IDN homoglyphs for malicious purposes by registering a domain that includes IDN homoglyphs of a domain that they want to spoof. For example, they could try to register ɡοοɡlе.com. This is, in fact, not google.com – you can use the Unicode lookup web application to check.
After registering the fake domain, the attacker can scam victims, for example, by using phishing techniques, luring them to a fake website made to look and feel exactly like the original one. The attacker can use such website spoofing to capture information entered by the user, such as login credentials or other types of authentication or access control information, sensitive information, phone numbers, etc.
Note that before IDNs were introduced, HTTP spoofing was also theoretically possible but much easier to spot. For example, the attacker could attempt to register the domain goog1e.com and trick the victim into visiting it instead of google.com. This technique is also sometimes called script spoofing and follows the same idea as typosquatting (registering domains with common misspellings).
It is not known who or why originally used the term the homograph attack instead of homoglyph attack, but the incorrect name was adopted by many (as well as similar terms such as homograph domain). The topic became hot after the publication of the article Phishing with Unicode Domains by security researcher Xudong Zheng in 2017.
Punycode is a code used to represent Unicode characters as ASCII characters in domain names and hostnames. Since the original domain name system was not designed with Unicode in mind, it would be very difficult to introduce non-8-bit characters in domain names. Instead, all IDNs are actually stored and processed in Punycode form, for example, on DNS servers, and only displayed in their Unicode form for the users.
For example, if you paste ɡοοɡlе.com into your browser, it will first convert it to Punycode (xn--l-r1aa31la42e.com) and only then send that information further. Many applications, such as email clients, will also work the other way around – if they receive content with Punycode, they will recognize it and display it as Unicode.
In a full man-in-the-middle scenario, the attacker’s website could also communicate in the background with the original invicti.com website. While the invicti.com webpage is not a very lucrative target for such an attack due to its limited functionality, your online bank’s login page may be. And even a non-lucrative target such as invicti.com could be used, for example, to distribute malware such as botnet clients used for distributed denial-of-service (DDoS) attacks, cryptocurrency miners, or even ransomware.
If the spoofer does not want to resort to phishing and is able to execute a different man-in-the-middle attack, such as ARP spoofing, IP address spoofing, DNS spoofing, or session hijacking, they could use these in conjunction with HTTP spoofing to make the victim visit a fake website with no need for social engineering. Malicious actors could, for example, intercept the routing or the communication between the web browser and web server, and replace a legitimate domain name in an HTTP header with its homoglyph. Even some web vulnerabilities, such as cross-site scripting, could be used in conjunction with HTTP spoofing for an effective attack.
HTTP spoofing relies on tricking users into visiting or trusting a malicious domain by crafting a name that visually resembles a legitimate domain. It is considered a type of man-in-the-middle attack (MITM) but is also often used for phishing attacks.
HTTP spoofing is not considered very dangerous because most browsers use Punycode to display URLs in the address bar, allowing users to quickly identify attack attempts. Also, for HTTP spoofing to be used in man-in-the-middle attacks, it must be combined with other techniques, such as ARP spoofing, IP spoofing, or DNS cache poisoning.
The best way to prevent HTTP spoofing attacks is to use a modern browser and always look carefully at the address bar. In an HTTP spoofing attack, the address bar of a modern browser will show the spoofed name in Punycode, which will look nothing like the legitimate domain name.
Find out how to prevent other man-in-the-middle attacks (MITM).