Over the last few months we did some research on how to create phishing emails which are good enough to fool even security professionals.
Therefore, we were looking into quite an old topic: Punycode domains and IDN homograph attacks.

Punycode is a special encoding used to convert Unicode characters to ASCII.
The procedure of encoding may be illustrated using an example domain like bücher.example.
bücher converted to Punycode results in bcher-kva. It is then prefixed with xn-- to produce xn--bcher-kva. The DNS record is therefore xn--bcher-kva.example.

However, this can also be used to trick users to visit malicious URLs. In 2017, Xudong Zheng wrote a blog-post about Phishing with Unicode Domains.
They created a PoC domain for apple.com where they used a Cyrillic ‘a’ – back then, browsers only displayed the Unicode representation, which made it very hard for even experienced users to spot an attack. In the meantime, all browsers except Firefox display the Punycode representation by default, which eliminates most of those attacks within web browsers. But what about email spoofing attacks?

We at A1 Digital continuously try to improve the quality of our phishing campaigns and Unicode domains seemed to be a promising way to achieve a nearly perfect phishing mail.
In order to create a PoC, we registered the domain а1.digital, where the ‘а’ equals the Cyrillic а (U+0430).

We were interested in how popular email clients handle emails sent from Punycode domains and which security mechanisms they have in place to spot potential phishing attacks via this specific vector.
We had a look at the following products:

  • Outlook for Windows
  • Outlook Mobile
  • Office365 Web (outlook.office365.com)
  • Gmail Web
  • Gmail Android
  • Mail for iPhone
  • Thunderbird

We tested different vectors:

  • Send an E-Mail with Punycode-encoded "FROM" field (example: FROM: Bud Spencer <bud.spencer@xn--1-7sb.digital>)
  • Send an E-Mail with Unicode-encoded "FROM" field (example: FROM: Bud Spencer <bud.spencer@а1.digital>)
  • Send an E-Mail with a legit "FROM" field but fake the "Reply-To" either with a Punycode-encoded or Unicode-encoded email address (example: FROM: Bud Spencer <bud.spencer@a1.digital>, Reply-To: Bud Spencer <bud.spencer@xn--1-7sb.digital>)

The scenario is the following: Bud Spencer (bud.spencer@a1.digital) is impersonated by a malicious person, which writes Terence Hill an email with the following content:

Hello Terence,
You can find the registration link for our security awareness training below:
https://а1.digital/security-awareness-training
Kind Regards
Bud

The following table shows an overview of the results:

overview-2.PNG

In the following we present the detailed results of this research including screenshots of the tested applications and what attack vector succeeded.

Outlook for Windows

Version used for testing: Office 365 16.0.11328.20286

The following emails were sent using Punycode-encoded "FROM" fields

outlook-windows-1.PNG

As show above, Outlook warns the user with a small warning. Most users wouldn't notice the warning, nevertheless, we wanted to improve. Using a legit "FROM" field but a Punycode-encoded "Reply-To" field, creates the following:

outlook-windows-2-1.PNG

No warning! The following screenshot shows, that the attack is not recognizable when replying to the fake-email. Note, that in this example, the victim is replying to the attacker.

outlook-windows-3.PNG

Note: Outlook 2016 shows the Punycode representation when receiving the above fake email. When sensing phishing emails using Unicode encoded "FROM" fields, the attack would not be recognizable.

Outlook Mobile for Android

Version used for testing: 3.0.63 (319)

The test emails were sent both Unicode and Punycode encoded. However, as shown below, Outlook for Android always shows the Punycode representation, which allows users to detect the attack.

Email from bud.spencer@xn--1-7sb.digital

Office365 Web (outlook.office365.com)

The email below was sent using the Unicode representation of а1.digital - in this case the user has no way of recognizing this phishing email, even when replying to it.

Office365-Web-1.PNG

Gmail Web

Gmail is very interesting - it is one of the most widely used webmail interfaces out there. When receiving the email (Punycode sender, when sending it as Unicode, the Gmail servers won't accept the email) there is no way of detecting the phishing attack. Additionally, it is not classified as spam by the Google spam protection service.

Gmail-Web-1-1.PNG

When expanding the details, you can see, that the email is signed by xn--1-7sb.digital - this is because of the DKIM signature. We used an external email provider which signs all outgoing mails - we could of course deactivate this when setting up our own email server which would result in a stealthier attack. The downside would be, that the SPAM score wouldn't be that good without a valid DKIM signature.

mailed by: a1.digital, signed by: xn--1-7sb.digital

The most interesting part is, that when replying to the phishing mail, Gmail warns the user with the following message:

Gmail warning: „Be careful with this message”

In our opinion, this is a very good security feature. As soon as the victim replied to the phishing email, the warning won't be triggered when replying to another email from this sender.

Gmail Android

Version used for testing: 2019.04.28.246421133.release

As shown above, the Gmail web interface provided a good security feature which warns the user when replying to those kinds of phishing emails. Gmail for Android does not provide this feature. In our tests we were not able to trigger a similar warning, which is why we reported this to Google. After some discussion, Google responded, that they are looking into this and that they will probably provide a fix.

Gmail-Android.PNG

Mail for iPhone

IMail was not vulnerable to this attack at the time of testing and was showing the Punycode representation of the sender.

imail.PNG

Thunderbird

Version used for testing: 60.6.1 (32-bit)

When sending phishing emails using the Unicode encoding, there is no way of detecting this kind of attack in Thunderbird.

thunderbird-1-1.PNG

Replying to this email looks like this:

thunderbird-2.PNG


Conclusion

This research showed, that sophisticated phishing attacks using IDN Homograph attacks are easily possible. Vendors like Outlook and Thunderbird have not implemented meaningful countermeasures to allow the detection of such attacks.
The powerful part about this kind of spear phishing is, that a two-way interaction is possible - we can actually receive replies to phishing emails which allows more advanced attacks and opens new ways to create targeted phishing campaigns.

How Offensity and A1 Digital can help

We are experts in our fields and besides our inhouse developed Offensity product for continous monitoring of your external infrastructure, we offer professional services like social engineering, penetration testing and more. You want to know more about this? Contact ask.security@a1.digital or visit our website at https://a1.digital/ (no worries, this is not a phishing link ;)

Additionally, follow us on Twitter for future updates!