URL Hijacking and Punycode Attacks

The NJCCIC recently identified a URL hijacking incident in which threat actors directed users to a malicious website with a domain similar to that of a NJ State agency. Also referred to as typosquatting, URL hijacking is a form of cybersquatting in which threat actors register a domain name similar to a legitimate entity’s domain name in order to fool users into believing they are visiting a legitimate, known website. An example is registering the domain example[.]co when the legitimate website is example[.]com. A similar tactic is known as a Punycode attack or “homograph attack.” Punycode is used to convert words that cannot be written in ASCII, such as those in Greek and Cyrillic, into ASCII characters that can be interpreted by the Domain Name System. The problem is that some systems will recognize the Punycode and display the URL using the original alphabet characters and some Roman alphabet characters look very similar to characters of other alphabets. A domain registered as xn-mxail5aa[.]com looks like the word “apple” when displayed using the Greek alphabet, leading users to believe they are visiting one website while being directed to another. Many web browsers are combating this tactic by alerting users when sites are suspected of exploiting Punycode and by providing the option to only view domains in Punycode. Threat actors are employing both URL hijacking and Punycode attacks in order to steal user account credentials or install malware onto targeted systems; therefore, the NJCCIC recommends users verify every URL for legitimacy prior to visiting the site or entering any account credentials. Users are encouraged to manually type the site’s URL into their web browser or using a search engine to navigate to the correct site, and exercise caution when choosing to click on links contained within emails.