Hello everyone.
Today i will be giving you a introduction to a spoofing attack which is called as IDN Homograph attack. I’ll perform it on Kali Linux environment.
How it works ?
ASCII has several characters or pairs of characters that look alike and are known as homographs (or homoglyphs). Spoofing attacks based on these similarities are known as homograph spoofing attacks. For example, 0 (the number) and O (the letter), “l” lowercase L, and “I” uppercase “i”.
In a typical example of a hypothetical attack, someone could register a domain name that appears almost identical to an existing domain but goes somewhere else. For example, the domain “rnicrosoft.com” begins with “r” and “n”, not “m”.
Other examples are G00GLE.COM which looks much like GOOGLE.COM in some fonts. Using a mix of uppercase and lowercase characters, googIe.com (capital i, not small L) looks much like google.com in some fonts.
PayPal was a target of a phishing scam exploiting this, using the domain PayPaI.com. In certain narrow-spaced fonts such as Tahoma (the default in the address bar in Windows XP), placing a c in front of a j, l or i will produce homoglyphs such as cl cj ci (d g a). – Read More
The objective of creating an EvilURL is to fool your victim into clicking the malicious link that looks like the intended target but leads elsewhere. Basically useful for phishing scenarios.
How the attack goes :
1] Open a terminal in your Kali Linux Operating system &type: git clone https://github.com/UndeadSec/EvilURL
{what this command does is, it downloads the files required to use the attack from GitHub}
2]Get into the folder which you just downloaded by typing: cd EvilUrl and press Enter.
3]To see the contents of the folder type: ls and hit enter.
4]Now to make the file executable we should change the mode by command : chmod +x evilurl.py
5]Open evilurl.py which we just made executable by command: python3 evilurl.py
Now lets take a deeper look at what is an IDN homograph attack, to do this we are going to create a scenario. In this scenario, i have created a fake Facebook phishing site but my victim is too smart to fall for random urls. So my next issue will be creating a domain name as trustworthy as possible for the hack to succeed. And that’s where EvilURL.py comes in. Lets take a look at the script and use Facebook as an example.
6] Choose option 1 to create a Evil URL & fill the for as below:
Insert name: facebook
Insert level domain: .com
Here you go with all the EVIL URLs or fake URLS which can be used. You might be thinking now what? or whats the use ? Go ahead and copy one of the URL and paste it in your browser.
e.g. : I copied the last url which appears facebook.com and pasted it in my browser and result i got was something weird Hex Numbers.
It happened because the EVILurl created ‘facebook.com’ appearing same using different Greek letters. In my case- ‘a, c, e, o’ words were replaced by Cyrillic Small Letter A, Greek Lunate Sigma Symbol, Cyrillic Small Letter Ie, Cyrillic Small Letter O.
7) So you might be wondering so what? What do we do with all these evil URLs.
8) Ok so this is what happens. Since facebook.com is a registered domain and i will never be able to get my hands on it.
a) Use EvilURL to create fake facebook sites.
b) Register domain name : xn-fbk-qzc85c5a5da.com
c) Place malicious link or phishing site on that domain.
d) Give your victim a message but instead of xn-fbk-qzc85c5a5da.com, give him the evilURL :fаϲеbооk.com
Now when you will create a domain name keep it as ‘http://www.xn--fbk-qzc85c5a5da.com/’ and the link which you will share will be ‘facebook.com’ which you will copy from EVIL URL.
9]Now lets take look when we press 2. It basically will take you to a screen wherein you can check a link if it is EVIL URL or not. This will help you when someone else is trying to scam you with the same trick
10] By pressing 1 now you can check the URL or go with 2 if you wanna play with list.
Here in insert URL tab copy and paste the name of the link which you friend gave you and hit enter Key. In my case my link was appropriate so it showed ‘connection accepted’, if the name entered would have been EVIL then i would have got error as below
The END
ThankYou for Reading the post.
Have a Good Day.
Qirit0
[…] URL shorteners such as Google Url Shortener or bitly.com. 3. You can refer my previous post on IDN Homograph […]
Great content, thanks. I just learnt to use socialfish lastnight & I’ve been looking for a way to mask the attack url since it looks too suspicious. This is the first way I’ve seen that makes sense… but i have questions please:
1• nowhere in the terminal did i see you input your malicious link, how does the evilurl-“facebook.com” redirect or links with your malicious link?? Or is there a step i missed where you input your malicious link ?
2• are there any updated ways to mask malicious url? Since this post was last year, I’m hoping there are better ways now
3• please you can reach me through email I would love to be able to interact with an experienced hacker since i only just started learning lol [email protected] thanks