ISC StormCast for Tuesday, April 18th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 18 April 2017
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, April 18th, 2017 edition of the Sand Center, Storm Center's |
| 0:06.7 | Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:13.7 | Last week, reports surfaced of international domain names being used in fishing attacks. While this is in itself nothing new, it does look like this latest attempt was more widespread |
| 0:28.8 | and hit some large domains like Apple.com as well as some financial domains. |
| 0:35.4 | Also, the attacker in this case apparently went through trouble to get an |
| 0:39.4 | cell certificate via Let's Encrypt. The trick of course is pretty simple. The attacker registers a domain |
| 0:46.5 | that uses international characters that look very close to specific English characters. A user |
| 0:53.3 | clicking on a link has no idea that they're being |
| 0:57.0 | sent to a very different domain than the one that appears to show up in the link or the browser's |
| 1:03.7 | URL bar. In October 2015, I actually did some experience with this and the success of this attack depends a lot on the browser the victim is using. |
| 1:16.0 | Some browsers, like for example Internet Explorer, will for the most part not render international characters if a domain mixes different languages. |
| 1:27.0 | This sounds actually like a rather reasonable and effective approach. |
| 1:32.8 | Other browsers like Firefox use a whitelist approach |
| 1:36.9 | and will only render international domain names for some top-level domains. |
| 1:42.5 | Dot com is, for example, not on the list, while dotorg and country-level domains.com is for example not on the list, while dot org and country-level |
| 1:47.9 | domains are on the white list. Safari, on the other hand, appears to have no problem rendering |
| 1:55.0 | most international domains. If a browser does not render the international characters, then it will fall back |
| 2:03.1 | to Punicode, which is obviously different from the English characters and a domain could |
| 2:10.5 | not easily be impersonated if the browser displays Punicode. Remko Verhoff expanded on this issue a bit in today's diary. He is |
| 2:22.0 | listing some of the common homo crafts or lookalike letters used in the recent attacks. He also |
| 2:28.5 | wrote a tool to automatically find domains that use any of these specific letters. This approach could help |
| 2:36.9 | with a somewhat more fine-grained approach to filtering these domains. Now back at the end of |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.