Internationalized domain names (IDNs) enable organizations to use native-language domains but can be abused to impersonate legitimate sites. The WhoisXML API study analyzes over 63,000 FQDNs containing native-language characters, highlighting DNS security risks exemplified by the Nitrogen campaign that used Punycode to deceive targets. Hashtags: #NitrogenCampaign #Punycode
Keypoints
- IDNs allow organizations to register domains in native languages, expanding global reach but enabling spoofing.
- Attackers can exploit IDNs to create look-alike domains for impersonation and phishing.
- The Nitrogen malware campaign specifically leveraged Punycode to craft deceptive domains, such as wìnscp[.]net.
- The study analyzed 63,105 unique FQDNs drawn from a database exceeding 58 billion rows to identify trends.
- Findings cover the distribution of top-level domains, IP geolocation, and WHOIS data, with two internationalized TLDs implicated in impersonation efforts.
- The top 10 TLDs accounted for 96.27% of the FQDNs analyzed, showing a strong concentration in a few domains.
- A white paper titled “Early Homograph Threat Detection: A DNS Study of IDNs and Native Language Characters” provides deeper insights.
MITRE Techniques
- [T1566] Phishing – “Threat actors may use deceptive domains to lure victims into downloading malicious software.”
- [T1566.002] Spearphishing Link – “Attackers create look-alike domains using Punycode to impersonate legitimate entities.”
- [T1003] Credential Dumping – “Malicious domains may be used to harvest credentials from unsuspecting users.”
Indicators of Compromise
- [Domain] Deceptive domains used in Nitrogen campaign – wìnscp[.]net, xn—wnscp-tsa[.]net
- [Domain] Suspicious IDN-based domains impersonating banks – 1stcâpital.xn—fiqs8s, 1stcâlgary.xn—fiqs8s
Read more: https://circleid.com/posts/20240919-idns-native-language-characters-and-homograph-attacks