Over the last few months we did some research on how to create phishing emails which are good enough to fool even security professionals.
Therefore, we were looking into quite an old topic: Punycode domains and IDN homograph attacks.
Punycode is a special encoding used to convert Unicode characters to ASCII.
The procedure of encoding may be illustrated using an example domain like bücher.example.
bücher converted to Punycode results in bcher-kva. It is then prefixed with xn-- to produce xn--bcher-kva. The DNS record is therefore xn--bcher-kva.example.
However, this can also be used to trick users to visit malicious URLs. In 2017, Xudong Zheng wrote a blog-post about Phishing with Unicode Domains.
They created a PoC domain for apple.com where they used a Cyrillic ‘a’ – back then, browsers only displayed the Unicode representation, which made it very hard for even experienced users to spot an attack. In the meantime, all browsers except Firefox display the Punycode representation by default, which eliminates most of those attacks within web browsers. But what about email spoofing attacks?
We at A1 Digital continuously try to improve the quality of our phishing campaigns and Unicode domains seemed to be a promising way to achieve a nearly perfect phishing mail.
In order to create a PoC, we registered the domain а1.digital, where the ‘а’ equals the Cyrillic а (U+0430).
We were interested in how popular email clients handle emails sent from Punycode domains and which security mechanisms they have in place to spot potential phishing attacks via this specific vector.
We had a look at the following products:
- Outlook for Windows
- Outlook Mobile
- Office365 Web (outlook.office365.com)
- Gmail Web
- Gmail Android
- Mail for iPhone
We tested different vectors:
- Send an E-Mail with Punycode-encoded "FROM" field (example: FROM: Bud Spencer <email@example.com>)
- Send an E-Mail with Unicode-encoded "FROM" field (example: FROM: Bud Spencer <bud.spencer@а1.digital>)
- Send an E-Mail with a legit "FROM" field but fake the "Reply-To" either with a Punycode-encoded or Unicode-encoded email address (example: FROM: Bud Spencer <firstname.lastname@example.org>, Reply-To: Bud Spencer <email@example.com>)
The scenario is the following: Bud Spencer (firstname.lastname@example.org) is impersonated by a malicious person, which writes Terence Hill an email with the following content:
You can find the registration link for our security awareness training below:
The following table shows an overview of the results:
Who we are – disclaimer
We are a team of security enthusiasts based in Austria. We provide professional social engineering and penetration testing campaigns. If you need help in these areas, contact email@example.com.
Offensity also helps professional IT admins identify vulnerabilities by scanning their infrastructure automatically. Make sure to test our tool - it's completely free for up to 2 domains and 50 subdomains!
Outlook for Windows
Version used for testing: Office 365 16.0.11328.20286
The following emails were sent using Punycode-encoded "FROM" fields
As show above, Outlook warns the user with a small warning. Most users wouldn't notice the warning, nevertheless, we wanted to improve. Using a legit "FROM" field but a Punycode-encoded "Reply-To" field, creates the following:
No warning! The following screenshot shows, that the attack is not recognizable when replying to the fake-email. Note, that in this example, the victim is replying to the attacker.
Note: Outlook 2016 shows the Punycode representation when receiving the above fake email. When sensing phishing emails using Unicode encoded "FROM" fields, the attack would not be recognizable.
Outlook Mobile for Android
Version used for testing: 3.0.63 (319)
The test emails were sent both Unicode and Punycode encoded. However, as shown below, Outlook for Android always shows the Punycode representation, which allows users to detect the attack.
Office365 Web (outlook.office365.com)
The email below was sent using the Unicode representation of а1.digital - in this case the user has no way of recognizing this phishing email, even when replying to it.
Gmail is very interesting - it is one of the most widely used webmail interfaces out there. When receiving the email (Punycode sender, when sending it as Unicode, the Gmail servers won't accept the email) there is no way of detecting the phishing attack. Additionally, it is not classified as spam by the Google spam protection service.
When expanding the details, you can see, that the email is signed by xn--1-7sb.digital - this is because of the DKIM signature. We used an external email provider which signs all outgoing mails - we could of course deactivate this when setting up our own email server which would result in a stealthier attack. The downside would be, that the SPAM score wouldn't be that good without a valid DKIM signature.
The most interesting part is, that when replying to the phishing mail, Gmail warns the user with the following message:
In our opinion, this is a very good security feature. As soon as the victim replied to the phishing email, the warning won't be triggered when replying to another email from this sender.
Version used for testing: 2019.04.28.246421133.release
As shown above, the Gmail web interface provided a good security feature which warns the user when replying to those kinds of phishing emails. Gmail for Android does not provide this feature. In our tests we were not able to trigger a similar warning, which is why we reported this to Google. After some discussion, Google responded, that they are looking into this and that they will probably provide a fix.
Mail for iPhone
IMail was not vulnerable to this attack at the time of testing and was showing the Punycode representation of the sender.
Version used for testing: 60.6.1 (32-bit)
When sending phishing emails using the Unicode encoding, there is no way of detecting this kind of attack in Thunderbird.
Replying to this email looks like this:
This research showed, that sophisticated phishing attacks using IDN Homograph attacks are easily possible. Vendors like Outlook and Thunderbird have not implemented meaningful countermeasures to allow the detection of such attacks.
The powerful part about this kind of spear phishing is, that a two-way interaction is possible - we can actually receive replies to phishing emails which allows more advanced attacks and opens new ways to create targeted phishing campaigns.
How Offensity and A1 Digital can help
We are experts in our fields and besides our inhouse developed Offensity product for continous monitoring of your external infrastructure, we offer professional services like social engineering, penetration testing and more. You want to know more about this? Contact firstname.lastname@example.org or contact us at https://www.offensity.com/en/contact/ (no worries, this is not a phishing link ;)
Additionally, follow us on Twitter for future updates!