DNS Homographs Detection in the Wild

Since early 2000 when internationalized domain name (IDN) gained traction, people have had more choices on the characters to use for creating Internet domain names. Extending character choices beyond ASCII to Unicode provides the needed coverage for most of the world's writing systems. Unfortunately, the IDN mechanism also put Internet users at risk of homograph attacks as many Unicode characters have strikingly similar or close visual appearance to ASCII characters. For example, through the clever choices of Unicode characters, anyone can create an "infoblox.com" domain, which looks indistinguishable from the legitimate ASCII-only "infoblox.com". The former domain is called a homograph or homoglyph, and the latter a target. The homograph in the example is using the Cyrillic small letter "o" instead of the ASCII "o". Attackers exploit such visual ambiguity or semblance existing with many Unicode characters to create homographs that impersonate priced targets. Homograph domains damage the reputation of targets and pose a threat to users that visit them. Moreover, these attacks can be employed in various types of phishing scams to steal sensitive information or to gain access to protected resources.

In this talk, we will introduce DNS homograph attacks and provide some highlights of relevant background work to detect them. We will then describe how we trained and fielded a machine learning classifier for homographs detection, and share examples of homographs caught in the wild over several months of passive DNS data.