Zero-Day Bug Allowed Attackers to Register Malicious Domains


Level 9
Thread author
Nov 3, 2019
A zero-day vulnerability impacting Verisign and several SaaS services including Google, Amazon, and DigitalOcean allowed potential attackers to register .com and .net homograph domain names (among others) that could be used in insider, phishing, and social-engineering attacks against organizations.

Before this flaw was disclosed by Soluble security researcher Matt Hamilton in collaboration with security testing firm Bishop Fox to Verisign and SaaS services, anyone could register homograph domain names on gTLDs (.com, .net, and more) and subdomains within some SaaS companies using homoglyph characters.

"Some of these vendors were responsive and engaged in productive dialog, though others have not responded or did not want to fix the issue," Hamilton says.

At this time, only Verisign and Amazon (S3) have remediated this issue, with Verisign deploying changes to gTLD registration rules to block the registration of domains using these homoglyphs.

The vulnerability was discovered by Hamilton after attempting to register domains using Latin homoglyph characters (i.e., Unicode Latin IPA Extension homoglyphs).

mograph domains commonly used for malicious purposes
Abusing this domain registration vulnerability can lead to attacks very similar to IDN homograph attacks, presenting the same range of risks.

Homograph attacks are happening when threat actors register new domains that look very similar and sometimes look identical to those of known organizations and companies and assign them valid certificates.

They are usually used as part of scam campaigns that rely on these lookalike domains to redirect potential victims to sites delivering malware or attempting to steal their credentials.

While homograph attacks are nothing new and web browsers will expose them by replacing the Unicode characters with Punycode in the address bar, and Verisign and similar providers have rules in place that block the registration of homograph domains, the Unicode Latin IPA Extension character set wasn't blocked until Hamilton's disclosure.

Attackers started abusing this flaw in 2017
After registering a homograph domain or subdomain that's indistinguishable from the domain of a high profile company, attackers can launch any number of attacks that take advantage of this, including but not limited to highly targeted phishing and social-engineering attacks against the employees, customers, or users of the organization who's domain is spoofed.

"Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates," Hamilton says. "This included prominent financial, internet shopping, technology, and other Fortune 100 sites."

He also found that "third-parties had registered and generated HTTS certificates for 15 of the 300 tested domains using this homoglyph technique."

"Additionally, one instance of a homoglyph domain hosting an unofficial and presumed malicious jQuery library was found.

"There is no legitimate or non-fraudulent justification for this activity (excluding the research I conducted for this responsible disclosure)," Hamilton added.

The homograph domain names registered by abusing this vulnerability were most probably used as part of highly targeted social-engineering campaigns directed at employees of high-profile government and privately held organizations rather than common phishing campaigns targeting random victims.

As part of the research process, Hamilton also registered the following homograph domains using Unicode Latin IPA Extension homoglyph characters to show the impact they could have if used for malicious purposes (some of them have already been transferred to the owners of the non-homograph domains):


Vulnerability fixed by Verisign
Verisign, the authoritative registry for the .com, .net, .edu, and several other generic top-level domains (gTLDs), has fixed the flaw and now restricts the registration of domains using these homoglyph characters, and it has also changed domain name registration rules by updating the table of allowed characters in newly registered domains.

"Safeguarding the stability, security, and resiliency of the critical infrastructure we operate is our top priority," Verisign said in a statement. "While the underlying issue described by Mr. Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited.

"Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.

"We value the contributions of the security research community to the stability, security, and resiliency of the Domain Name System, and appreciate Mr. Hamilton’s responsible disclosure in this matter."

After disclosing the zero-day, a tool for generating domain permutations using these homoglyph characters and for checking Certificate Transparency logs was also created and is now available online.

More details about this vulnerability and the full disclosure timeline can be found in Hamilton’s full report on this new type of homograph attack