Over the years, many changes have been made to the Domain Name System (DNS). Some of these changes were made to allow internationalized domain names (IDNs). The concept behind these is simple—to allow language-specific scripts or characters that are not part of the usual Latin alphabet to become part of domain names.
However, the security and cybercrime implications of international domain names have to be considered. We know that criminals jump at every new technological development to make money… and that some open the doors to cybercrime more easily than others.
This is a subject I’ve been thinking about for a while now. There are a number of facets to the IDN discussion and a number of associated risks.
Top-Level Internationalized Domain Names
Initially, country-code top level domains (ccTLDs) were not part of IDN implementation. For example, you could use Cyrillic characters in an .ru domain but the country code would not be in Cyrillic. (IDN support would be decided by the bodies managing each specific ccTLDs.)
Several internationalized domain names have already been approved for use by the following countries:
- China (中国 and 中國)
- Egypt (مصر)
- Hong Kong (香港)
- Russia (рф)
- Saudi Arabia (السعودية)
- Taiwan (台灣 and 台湾)
- United Arab Emirates (امارات)
The first threat that comes to mind is domain squatting in these new country-code domains. Let’s consider a theoretical example of the (fictional) company Bingo. бах is Bingo in Russian. Suppose someone registers бах.рф before Bingo gets around to it.
The customers of Bingo would be exposed to phishing from бах.рф before the legitimate Bingo organization is able to register its domain. (This threat would occur anytime a new TLD is approved that is applicable to an existing organization.)
(Note: The previous two paragraphs originally appeared with “bingo.рф” as the example. This was incorrect, as it is not possible to register bingo.рф. If the top-level component is internationalized, the second-level component must be as well.)
It gets worse. With a valid registration, it would not be hard to prove that a domain is legitimately owned and thus get an SSL certificate. This could lead users to believe they are visiting the legitimate site. The only real solution here is vigilance on the part of the domain owners and registrars and careful scrutiny on the part of computer users.
However, we know that most users do not closely examine all of the URLs they see. Many are still unaware of the risks phishing poses or are too trusting of information they receive by email and by other communication channels. Consider the following list of targets cybercriminals attacked via phishing in August:
Cybercriminals would not persist with this method of attack if it were not profitable.
Read the rest of this entry »