Newly-registered domains, Punycode and Passive DNS: linking clues for hunting

Newly-registered domains, Punycode and Passive DNS: linking clues for hunting

There has been quite a bit of talk lately in the media around Homograph attacks following the disclosure of a browser vulnerability by Xudong Zheng. The technique itself is not new as we’ve seen several talks in the past at security conferences, from as early as 2012. The good news is most modern browsers have mechanisms in place to limit homograph attacks and Zheng’s proof-of-concept exploited a very specific vulnerability as you can read in his post.

A quick primer on Punycode before we go further: Punycode is a way to convert Unicode characters to a subset of ASCII – consisting of letters, digits and hyphens. The encoding is primarily used in creating domain names in non-ASCII characters, also known as Internationalized Domain Names (IDN). As you can imagine, IDNs serve a clear purpose of letting people in different parts of the world register domains with characters in their native languages. As you can also probably imagine, bad actors figured out a way to abuse IDNs by registering very similar looking domain names as that of popular websites mostly for the purpose of phishing unsuspecting users.

As threat researchers, we decided to go hunting for such suspicious domains and document techniques we used along the way. We hope they help other researchers as well.

Searching for newly-registered domains

We can find various free and commercial services that provide a daily update of newly added and deleted domains in every zone. We use a handy tool provided by domainpunch.com to search for newly registered domains in the past 30 days. They also provide an IDN filter which made searching for our target domains quite simple. Here is an image showing sample domains from 20th April with IDN filter set.

Searching by ASCII characters also returns IDN domains with Punycode characters

Image1: Searching by ASCII characters also returns IDN domains on domainpunch.com

You can see in the image above a few obviously suspicious domains that look like icloud.com (Apple’s popular cloud service). We went ahead and looked for more domains in the past 30 days and here is a list of what we found searching by two characters “ou”:

Domain Added on
outloơk[.]com 25-Mar-17
youtưbe[.]com 25-Mar-17
icłouđ[.]com 27-Mar-17
inc-ìcloud[.]com 30-Mar-17
îcloud[.]com 1-Apr-17
ícḷoud[.]com 1-Apr-17
ịclouḍ[.]com 2-Apr-17
icḷouḍ[.]com 9-Apr-17
lclọud[.]com 15-Apr-17
lclouḍ[.]com 17-Apr-17
outıook[.]com 17-Apr-17
ĭcloud[.]com 19-Apr-17
icloụd[.]com 19-Apr-17
ƴoutube[.]com 19-Apr-17
support-ícloud[.]com 19-Apr-17
îcloud[.]com 20-Apr-17
ȋcloud[.]com 20-Apr-17
icloùd[.]com 20-Apr-17
iclöud[.]com 20-Apr-17
íclóùd[.]com 21-Apr-17
ıcıoud[.]com 22-Apr-17

There are few points worth noting from the table above:

  1. Suspicious domains infringing on popular domains have existed for as long as we search in the past. We limited our search to 30 days but there are most likely many domains that were registered in the past. This makes it again worth noting, that homograph attack techniques are not new.
  2. We see several new icloud.com variants since 15th April- a day after Zheng’s blog post came out. There is a possibility such attacks can increase in near future as more bad actors get aware or get reminded of the technique.
  3. Expanding search based on more combinations of letters will likely lead to many, many more domains as we found 21 domains with just 2 letters “ou”.
Digging deeper using Passive DNS and URL resources

Once we have a list of possibly suspicious domains, we can look for more clues to ascertain maliciousness of the domain. One such technique is using Passive DNS to discover more evidence on activities of bad actors. As an example, we take the last domain in the list above: ıcıoud[.]com. A quick DNS look up reveals the A record as (at the time of writing this blog post). When we plug this into VirusTotal’s Passive DNS lookup tool, we find more evidence of domains registered likely for the purpose of phishing and an associated URL, blocked already by three blacklisting services.


VirusTotal's Passive DNS lookup

Image2: Passive DNS lookup on Virustotal

Lastly, if we analyze the URL http://icld[.]info, we find more details on behavior of the website. Apparently, it just redirects a visitor to www.icloud.com, Apple’s original icloud website. More details on URL analysis here: http://urlquery.net/report.php?id=1493029021928. We also see very similar behavior with URL containing IDN:  http://ıcıoud[.]com. It is safe to assume that all the above domains listed in Passive DNS are part of the same attack – most likely registered for phishing users. It is also worth monitoring all such IDN domains for extended period of time, for example a week or two, as they tend to go online several days after being registered.

We hope that the techniques listed above help threat researchers uncover more malicious actors and help the security community take them down.

Happy hunting!


P.S. – Another handy tool: convert punycode to ASCII using https://www.punycoder.com/

No Comments

Post a Comment

%d bloggers like this: