Advance Phishing Using An IDN Homograph Attack
Thead Owner : Murder,
Category : General Hacking,
2 Comment,
966 Read
Viewers:
1 Guest(s)
05-23-2020, 03:14 AM
Advance Phishing Guide: IDN Homograph Attack
In this thread, I will walk you through a detailed explanation on how to perform an advance phishing attack incorporating an IDN Homograph. We will be using EvilURL by UndeadSec for this attack. You need to have python and git installed on your system before you start up EvilURL. This took me some time to write so please do leave a like. Let's begin.
Unicode
When it comes to characters, most people think that the only characters are the alphabet, numerics(0-9) and some special symbols(*&^). But in reality, this is not the case. Unicode consists of close to a thousand characters. This includes numbers, symbols, letters etc. So why is Unicode important to us? It can be used as an exploit. Let me explain,
T: Regular “T” in the alphabet
Ƭ: Unicode U+01AC
As you can see there is a slight variation in the Unicode “U+01AC” and it looks like a “T”. We can use the similarities between these characters to our advantage.
https://www.Snapchat.com
https://www.Śnapchat.com
The second URL is not the real Snapchat domain. You can see that the S is not a true alphabetical S. However keep in mind that when we are usually phishing, It is us who send the victim the web address. Since they do not type the address on their own, this makes phishing very easy.
Say you got the following email:
Support@Instagram.com
Hello Adam,
We have reason to believe that your Instagram account password is compromised. Please login to your Instagram account and change your password.
www.Іnstagram.com/reset/password/user-6773673786/
The letter “I” in the link above is not a true “I” but a Unicode (U+0406). Now I hope you can understand how powerful Unicode can be. If you structure a good spoofed email with good SE skills, the user won't even think about if its valid or not.
Starting the Attack - Windows OS
Open up your console, and type:
git clone https://github.com/UndeadSec/EvilURL
Navigate to the folder and list the directory:
Cd EvilUrl-Master
Type the following command to start EvilURL:
python evilurl.py
EvilURL will now load.
It will ask you "Insert Name: ". Here you need to enter the name of the website you are planning on using. For example, if I am trying to get peoples Facebook password, I will type "Facebook" and hit enter.
Then, it will ask "Insert Level Domain: ". you need to add the domain extension for your particular website. In my case, I will type ".com" and hit enter because Facebook's official domain is facebook.com.
Once you do this, EvilURL will generate a list of domains that looks extremely similar to "facebook.com". The way EvilURL works is that it identifies similar Unicode in the URL supplied by the user, and tries to create as many combinations as possible by replacing certain Unicode to make to look close to the real URL as possible. Remember, the browser does not read the Unicode character. It will only output the Unicode. Let me explain,
Say you used EvilURL to get a URL for Instagram. You will probably get something like this:
https://www.Іnstagram.com/
This link looks like the actual Instagram domain right? But EvilURL has just swapped a Unicode character for the actual character "I". Now if you click on this link, you will be redirected to this webpage:
![[Image: 1216835024598367ceb96918ba7656df.png]](https://i.gyazo.com/1216835024598367ceb96918ba7656df.png)
You may be confused as to what this gibberish URL is. Remember how I told you that the browser only reads the Unicode but not the character? This is the URL in Unicode. Now all you need to do is to register this domain. In this case, to use https://www.Іnstagram.com/ we need to register the domain www.xn--nstagram-22a44046d.com. Once you have registered and owned the domain, you can use the character swapped Evilurl to do various phishing attacks. In our case, we have a character swapped URL for Instagram. We own the actual Unicode domain. So whenever we send https://www.Іnstagram.com/ to someone and they click it, they will be redirected to www.xn--nstagram-22a44046d.com, which we now own. Next, you need to set up your phishing site, in our case a clone of the Instagram login page and point our domain to the clone site. That's it. This is by far the most powerful way to carry out phishing attacks.
I will not go over basic phishing like setting up clone pages and credential harvesting. This thread is solely focused on using EvilURL. An IDN Homograph attack to take phishing to the next level.
4 Years of Service
4 Years of Service