A recently discovered zero-day bug has allowed cybercriminals to register malicious domains. The bug in Verisign and IaaS services permitted domains with homoglyphs.
Zero-Day Bug Permitted Malicious Domains Registration
A researcher from Soluble has found a zero-day bug that allowed registering malicious domains. The bug existed with Verisign and numerous IaaS services that could permit potential attackers to register domains with homoglyphs. Hence, the attackers may use these subdomains to prey on internet users by registering domains similar to those of popular services.
Elaborating their findings in a blog post, the researchers stated,
It was possible to register homograph domain names on gTLDs (.com, .net, etc.) as well as subdomains within some SaaS companies using homoglyph characters…
An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization.
In brief, to prevent homograph attacks, numerous companies implemented restrictions in registering domains and subdomains using mixed scripts. However, Verisign and some IaaS services missed doing so adequately. Hence, it became possible to register domains with homoglyphs within the Unicode Latin IPA Extension character set.
Exploiting the same bug allowed the researcher to register numerous domains impersonating prominent firms, such as amɑzon.com, sɑlesforce.com, ɡmɑil.com, and ɑppɩe.com.
However, what’s terrible is that the researcher found active exploitation of the bug in the wild. Specifically, the exploitation could date back to 2017, hence, rightly classifying the bug as a zero-day.
Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates. This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity.
Possible Mitigations
Upon noticing the bug and its active exploitation, the researcher notified Verisign and IaaS services (Google, Amazon, Wasabi, DigitalOcean).
However, following the report, only Verisign and Amazon addressed the issue. Verisign has made changes to the gTLD registration rules to prevent domain registration with homoglyphs. Where Amazon has modified the S3 bucket name validation policy preventing any domains starting with “xn..”.
Whereas, the other services are yet to address.
Let us know your thoughts in the comments.