Re : Re: UASG Response to WordFence IDN Phishing concerns
Exactly Andrie. Thank you for confirming the same. I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic. So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language,visit www.xgenplus.com From: Andrei Kolesnikov MailId : [68484721]To: Don Hollander Cc: "Dr. AJAY D A T A" ,tan tanakadennis via ua-discuss Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concernsDate: 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei 2017-04-26 11:34 GMT+03:00 Don Hollander don.hollander@icann.org>: Hi Andrei: What about at the ccTLD? idn.ru? Does .ru also allow ASCII? Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic? D On 26/04/2017, at 8:30 PM, Andrei Kolesnikov andrei@rol.ru> wrote: most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] Basically most of the confusing cases discussed above are from .com --andrei 2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A ajay@data.in>: Hello Don, Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language,visit www.xgenplus.com[xgenplus.com] From: "Tan Tanaka,Dennis via UA-discuss" ua-discuss@icann.org> MailId : [68456683]To: Don Hollander don.hollander@icann.org>,"ua-discuss@icann.org" ua-discuss@icann.org>Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concernsDate: 25 Apr 2017 06:28:22 PM Don, my comments enclosed Thanks -Dennis From: ua-discuss-bounces@icann.org> on behalf of Don Hollander don.hollander@icann.org> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org" ua-discuss@icann.org> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others . We want to get feedback from the community on this document by Thursday UTC . So, here it is &ndash pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group . Don IDNs and Phishing: What You Need to Know By TBD at UASG Internationalized Domain Names[icann.org] (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic &ldquoа&rdquo and the ASCII[en.wikipedia.org] &ldquoa&rdquo look virtually identical. This technique is known as a homograph attack. Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label . While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites. Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers &ndash the majority of the world&rsquos population &ndash online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity a recent report[uasg.tech] commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year. The UASG&rsquos mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) &ndash and this includes issues around the adoption and acceptance of IDNs. If you&rsquod like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] or get in touch[uasg.tech] to learn more. [1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system . Do not Remove:[HID]20170425182821379[-HID] -- Andrey Kolesnikov RIPN.NET[RIPN.NET] Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET
I would expect a fair number of ccTLDs where it could be an issue as well. Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru? D
On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус <x-msg://25/%D0%BF%D0%BE%D1%87%D1%82%D0%B0.%D1%80%D1%83%D1%81>) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language, visit www.xgenplus.com <http://www.xgenplus.com/> From: Andrei Kolesnikov <andrei@rol.ru> MailId : [68484721] To: Don Hollander <don.hollander@icann.org> Cc: "Dr. AJAY D A T A" <ajay@data.in>,tan tanakadennis via ua-discuss <ua-discuss@icann.org> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM
Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains.
--andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>: Hi Andrei:
What about at the ccTLD? idn.ru <http://idn.ru/>? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=Aumtm9oLaw_1FAQZ4MvKpmNHj3khbV5zlM_VGiARFFQ&e=>Basically most of the confusing cases discussed above are from .com
--andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>: Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...> From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> MailId : [68456683] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>,"ua-discuss@icann.org <mailto:ua-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks
-Dennis
From: <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>> on behalf of Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org <mailto:UA-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
<>IDNs and Phishing: What You Need to Know
By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts <>[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
<>[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system.
Do not Remove: [HID]20170425182821379[-HID]
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes. I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) --andrei 2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org>:
I would expect a fair number of ccTLDs where it could be an issue as well.
Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru?
D
On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks.
*Dr. Ajay DATA* * | Founder & CEO * Get email id like *अजय@डाटा.भारत* in your own language, visit www.xgenplus.com
------------------------------ *From:* Andrei Kolesnikov <andrei@rol.ru> MailId : [68484721] *To:* Don Hollander <don.hollander@icann.org> *Cc:* "Dr. AJAY D A T A" <ajay@data.in>,tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns *Date:* 26 Apr 2017 02:16:05 PM
Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains.
--andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org>:
Hi Andrei:
What about at the ccTLD? idn.ru? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...> Basically most of the confusing cases discussed above are from .com
--andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in>:
Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
*Dr. Ajay DATA* * | Founder & CEO * Get email id like *अजय@डाटा.भारत* in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...>
------------------------------ *From:* "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org> MailId : [68456683] *To:* Don Hollander <don.hollander@icann.org>,"ua-discuss@icann.org" < ua-discuss@icann.org> *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns *Date:* 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks
-Dennis
*From: *<ua-discuss-bounces@icann.org> on behalf of Don Hollander < don.hollander@icann.org> *Date: *Monday, April 24, 2017 at 5:40 PM *To: *"UA-discuss@icann.org" <ua-discuss@icann.org> *Subject: *[EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
*IDNs and Phishing: What You Need to Know*
By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
------------------------------
------------------------------
[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID]
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET
Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars Von: ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org] Im Auftrag von Andrei Kolesnikov Gesendet: Mittwoch, 26. April 2017 12:06 An: Don Hollander <don.hollander@icann.org> Cc: Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss <ua-discuss@icann.org> Betreff: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes. I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) --andrei 2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>>: I would expect a fair number of ccTLDs where it could be an issue as well. Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru? D On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in<mailto:ajay@data.in>> wrote: Exactly Andrie. Thank you for confirming the same. I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic. So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत<mailto:अजय@डाटा.भारत> in your own language, visit www.xgenplus.com<http://www.xgenplus.com/> ________________________________ From: Andrei Kolesnikov <andrei@rol.ru<mailto:andrei@rol.ru>> MailId : [68484721] To: Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>> Cc: "Dr. AJAY D A T A" <ajay@data.in<mailto:ajay@data.in>>,tan tanakadennis via ua-discuss <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei 2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>>: Hi Andrei: What about at the ccTLD? idn.ru<http://idn.ru/>? Does .ru also allow ASCII? Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic? D On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru<mailto:andrei@rol.ru>> wrote: most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=Aumtm9oLaw_1FAQZ4MvKpmNHj3khbV5zlM_VGiARFFQ&e=> Basically most of the confusing cases discussed above are from .com --andrei 2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in<mailto:ajay@data.in>>: Hello Don, Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत<mailto:अजय@डाटा.भारत> in your own language, visit www.xgenplus.com[xgenplus.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...> ________________________________ From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> MailId : [68456683] To: Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>>,"ua-discuss@icann.org<mailto:ua-discuss@icann.org>" <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM Don, my comments enclosed Thanks -Dennis From: <ua-discuss-bounces@icann.org<mailto:ua-discuss-bounces@icann.org>> on behalf of Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org<mailto:UA-discuss@icann.org>" <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others. We want to get feedback from the community on this document by Thursday UTC. So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group. Don IDNs and Phishing: What You Need to Know By TBD at UASG Internationalized Domain Names[icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack. Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label. While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites. Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech]<https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year. The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech]<https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=fHMruCNtXCtlHyAJqUQ0xMY3bJLSKhk8h77uH_2ctvk&e=> or get in touch[uasg.tech]<https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more. ________________________________ ________________________________ [1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID][https://data.in/14931921150881741a-] [http://dlr.tbms.in:8077/XET21201:201704.jpg] -- Andrey Kolesnikov RIPN.NET[RIPN.NET]<https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...> Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET<http://ripn.net/> [https://data.in/XGenPlusMessageID:1493199621074593a-][http://dlr.tbms.in:8077/XET21454:201704.jpg] Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET<http://RIPN.NET>
Yes, Andrei, I agree totally with you. There is no need for overheating the problem, but we need to look and discuss wider, in order to properly address the problem as such. Much worse usage of domain names these days (and it’s way out of scope of this group, but it may reflect policies in ICANN) are this kind of attacks … https://documents.trendmicro.com/assets/wp/wp-two-years-of-pawn-storm.pdf @Lars, I have already expressed my opinion – agree, and go ahead with the text. @Yuriy, few remarks – those examples with IBM and cape are not the only ones as we saw during this discussion, and this is the usage of homoglyphs, which can be legal according to rules for registrations in some of cc’s, but confusing to the users and therefor they can be used as homographic attack. Dusan From: ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org] On Behalf Of Lars Steffen Sent: Wednesday, April 26, 2017 12:15 PM To: Andrei Kolesnikov <andrei@rol.ru>; Don Hollander <don.hollander@icann.org> Cc: Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss <ua-discuss@icann.org> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars Von: ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> [mailto:ua-discuss-bounces@icann.org] Im Auftrag von Andrei Kolesnikov Gesendet: Mittwoch, 26. April 2017 12:06 An: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> > Cc: Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in> >; tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Betreff: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes. I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) --andrei 2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> >: I would expect a fair number of ccTLDs where it could be an issue as well. Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru? D On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in> > wrote: Exactly Andrie. Thank you for confirming the same. I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic. So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like <mailto:???@????.????> अजय@डाटा.भारत in your own language, visit <http://www.xgenplus.com/> www.xgenplus.com _____ From: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru> > MailId : [68484721] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> > Cc: "Dr. AJAY D A T A" <ajay@data.in <mailto:ajay@data.in> >,tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei 2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> >: Hi Andrei: What about at the ccTLD? idn.ru <http://idn.ru/> ? Does .ru also allow ASCII? Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic? D On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru> > wrote: most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...> Basically most of the confusing cases discussed above are from .com --andrei 2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in> >: Hello Don, Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like <mailto:???@????.????> अजय@डाटा.भारत in your own language, visit <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...> www.xgenplus.com[xgenplus.com] _____ From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > MailId : [68456683] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> >,"ua-discuss@icann.org <mailto:ua-discuss@icann.org> " <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM Don, my comments enclosed Thanks -Dennis From: <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> > on behalf of Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> > Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org <mailto:UA-discuss@icann.org> " <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others. We want to get feedback from the community on this document by Thursday UTC. So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group. Don IDNs and Phishing: What You Need to Know By TBD at UASG Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack. Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label. While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites. Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year. The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more. _____ _____ [1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID] <https://data.in/14931921150881741a-> <http://dlr.tbms.in:8077/XET21201:201704.jpg> -- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...> Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET <http://ripn.net/> <https://data.in/XGenPlusMessageID:1493199621074593a-> <http://dlr.tbms.in:8077/XET21454:201704.jpg> Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET <http://RIPN.NET> --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Should consider including reference to: https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf Only 10 of the 42,624 domain names we studied were IDNs, and only one was a homographic attack. https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf Eighty-two of the 82,163 domain names were internationalized domain names (IDNs), and none were homographic attacks. https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf Seventy-eight of the 53,685 domain names were internationalized domain names (IDNs), and three of them were homographic attacks. And this is certainly not a new issue: https://www.google.com/url?sa=t <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact...> &rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwjwwqzBhcLTAhWIVbwKHShHA9kQFggtMAE&url=https%3A%2F%2Fwww.symantec.com%2Fcontent%2Fdam%2Fsymantec%2Fdocs%2Fsecurity-center%2Farchives%2Fintelligence-quarterly-oct-09-en.pdf&usg=AFQjCNGu8162_PXXqnhfHjAQfSUAqYaEXw www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_08-2011.en-us.pdf <http://www.symantec.com/content/en/us/enterprise/other_resources/b-intellige...> Edmon From: ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org] On Behalf Of Lars Steffen Sent: Wednesday, 26 April 2017 18:15 PM To: Andrei Kolesnikov <andrei@rol.ru>; Don Hollander <don.hollander@icann.org> Cc: Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss <ua-discuss@icann.org> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars Von: ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org] Im Auftrag von Andrei Kolesnikov Gesendet: Mittwoch, 26. April 2017 12:06 An: Don Hollander <don.hollander@icann.org> Cc: Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss <ua-discuss@icann.org> Betreff: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes. I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) --andrei 2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> >: I would expect a fair number of ccTLDs where it could be an issue as well. Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru? D On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in> > wrote: Exactly Andrie. Thank you for confirming the same. I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic. So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like <mailto:???@????.????> अजय@डाटा.भारत in your own language, visit <http://www.xgenplus.com/> www.xgenplus.com _____ From: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru> > MailId : [68484721] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> > Cc: "Dr. AJAY D A T A" <ajay@data.in <mailto:ajay@data.in> >,tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei 2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> >: Hi Andrei: What about at the ccTLD? idn.ru <http://idn.ru/> ? Does .ru also allow ASCII? Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic? D On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru> > wrote: most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...> Basically most of the confusing cases discussed above are from .com --andrei 2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in> >: Hello Don, Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like <mailto:???@????.????> अजय@डाटा.भारत in your own language, visit <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...> www.xgenplus.com[xgenplus.com] _____ From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > MailId : [68456683] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> >,"ua-discuss@icann.org <mailto:ua-discuss@icann.org> " <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM Don, my comments enclosed Thanks -Dennis From: <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> > on behalf of Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org> > Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org <mailto:UA-discuss@icann.org> " <ua-discuss@icann.org <mailto:ua-discuss@icann.org> > Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others. We want to get feedback from the community on this document by Thursday UTC. So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group. Don IDNs and Phishing: What You Need to Know By TBD at UASG Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack. Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label. While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites. Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year. The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more. _____ _____ [1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID] -- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...> Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET <http://ripn.net/> Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET <http://RIPN.NET>
Edmon, Greg Aaron and I will be publishing a long-overdue catch-up on these APWG studies within the next couple weeks. In it we will cover 2015 and 2016. In it we will cover the fact that the described homograph attack problem is virtually non-existent in real-world phishing attacks. In all of 2015, the various organizations contributing data to the APWG saw ONE true homographic attack, and in 2016, TWO. There were other uses of IDNs and mixed scripts that we’ll discuss, but there were just a handful. Phishers don’t need to mount homographic attacks to be successful, and I’d say that most of them don’t have the skills and/or motivation to do so. Ironically, the “buzz” about it that this article and coverage has created may actually get a few bad guys interested in exploring the concept. :-( That said, just like any other vulnerability or exploit that has low use but high potential for harm, being prudent about putting measures in place to limit risk and building understanding of those risks are still well worth pursuing, but this certainly isn’t an emergency that needs the “overheating” Andrei so appropriately mentioned. I’ll send a link to the paper once we get it published via the APWG. Cheers, Rod
On Apr 26, 2017, at 5:07 AM, Edmon Chung <edmon@registry.asia> wrote:
Should consider including reference to:
https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf <https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf> Only 10 of the 42,624 domain names we studied were IDNs, and only one was a homographic attack.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf <https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf> Eighty-two of the 82,163 domain names were internationalized domain names (IDNs), and none were homographic attacks.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf <https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf> Seventy-eight of the 53,685 domain names were internationalized domain names (IDNs), and three of them were homographic attacks.
And this is certainly not a new issue:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact... <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact...>
www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_08-2011.en-us.pdf <http://www.symantec.com/content/en/us/enterprise/other_resources/b-intellige...>
Edmon
From: ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> [mailto:ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>] On Behalf Of Lars Steffen Sent: Wednesday, 26 April 2017 18:15 PM To: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>>; Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>; tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars
Von: ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> [mailto:ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>] Im Auftrag von Andrei Kolesnikov Gesendet: Mittwoch, 26. April 2017 12:06 An: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>; tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Betreff: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes. I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :)
--andrei
2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>:
I would expect a fair number of ccTLDs where it could be an issue as well.
Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru?
D
On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत <mailto:%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c> in your own language, visit www.xgenplus.com <http://www.xgenplus.com/>
From: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> MailId : [68484721] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: "Dr. AJAY D A T A" <ajay@data.in <mailto:ajay@data.in>>,tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM
Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains.
--andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>:
Hi Andrei:
What about at the ccTLD? idn.ru <http://idn.ru/>? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...> Basically most of the confusing cases discussed above are from .com
--andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>:
Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत <mailto:%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c> in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...>
From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> MailId : [68456683] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>,"ua-discuss@icann.org <mailto:ua-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks -Dennis
From: <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>> on behalf of Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org <mailto:UA-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
IDNs and Phishing: What You Need to Know By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=VMxJkqVb1W-ZyIEhQREIQRg3LsygAashMrgpllm7Qs4&e=>commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
<>[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system.
Do not Remove: [HID]20170425182821379[-HID]<~WRD039.jpg> <~WRD039.jpg>
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
<~WRD039.jpg><~WRD039.jpg>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
Resending from my mailing list “approved” address. =============================== Edmon, Greg Aaron and I will be publishing a long-overdue catch-up on these APWG studies within the next couple weeks. In it we will cover 2015 and 2016. In it we will cover the fact that the described homograph attack problem is virtually non-existent in real-world phishing attacks. In all of 2015, the various organizations contributing data to the APWG saw ONE true homographic attack, and in 2016, TWO. There were other uses of IDNs and mixed scripts that we’ll discuss, but there were just a handful. Phishers don’t need to mount homographic attacks to be successful, and I’d say that most of them don’t have the skills and/or motivation to do so. Ironically, the “buzz” about it that this article and coverage has created may actually get a few bad guys interested in exploring the concept. :-( That said, just like any other vulnerability or exploit that has low use but high potential for harm, being prudent about putting measures in place to limit risk and building understanding of those risks are still well worth pursuing, but this certainly isn’t an emergency that needs the “overheating” Andrei so appropriately mentioned. I’ll send a link to the paper once we get it published via the APWG. Cheers, Rod
On Apr 26, 2017, at 5:07 AM, Edmon Chung <edmon@registry.asia <mailto:edmon@registry.asia>> wrote:
Should consider including reference to:
https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf <https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf> Only 10 of the 42,624 domain names we studied were IDNs, and only one was a homographic attack.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf <https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf> Eighty-two of the 82,163 domain names were internationalized domain names (IDNs), and none were homographic attacks.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf <https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf> Seventy-eight of the 53,685 domain names were internationalized domain names (IDNs), and three of them were homographic attacks.
And this is certainly not a new issue:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact... <https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact...>
www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_08-2011.en-us.pdf <http://www.symantec.com/content/en/us/enterprise/other_resources/b-intellige...>
Edmon
From: ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> [mailto:ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>] On Behalf Of Lars Steffen Sent: Wednesday, 26 April 2017 18:15 PM To: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>>; Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>; tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars
Von: ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org> [mailto:ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>] Im Auftrag von Andrei Kolesnikov Gesendet: Mittwoch, 26. April 2017 12:06 An: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>; tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Betreff: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes. I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :)
--andrei
2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>:
I would expect a fair number of ccTLDs where it could be an issue as well.
Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru?
D
On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत <mailto:%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c> in your own language, visit www.xgenplus.com <http://www.xgenplus.com/>
From: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> MailId : [68484721] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: "Dr. AJAY D A T A" <ajay@data.in <mailto:ajay@data.in>>,tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM
Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains.
--andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>:
Hi Andrei:
What about at the ccTLD? idn.ru <http://idn.ru/>? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...> Basically most of the confusing cases discussed above are from .com
--andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>:
Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत <mailto:%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c> in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...>
From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> MailId : [68456683] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>,"ua-discuss@icann.org <mailto:ua-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks -Dennis
From: <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>> on behalf of Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org <mailto:UA-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
IDNs and Phishing: What You Need to Know By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=VMxJkqVb1W-ZyIEhQREIQRg3LsygAashMrgpllm7Qs4&e=>commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
<>[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system.
Do not Remove: [HID]20170425182821379[-HID]<~WRD039.jpg> <~WRD039.jpg>
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
<~WRD039.jpg><~WRD039.jpg>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
To Lars' point, let's focus on the article and getting it out. One of the things that will hurt our efforts in UA is ignoring market impacts of scaring people inappropriately or discouraging them from support or use of IDN. We could benefit from a stronger message that matches more of what edmon and rod have identified with respect to the molecule-sized scale of the issue. Using real statistical data from trusted sources, if we can indicate that this issue does exist but is quite small in scale, and contrast it to other phishing techniques that are prevalent in non-IDN, we can hopefully reduce the fear appropriately. I am not suggesting we tell people to ignore the homograph confusability potential, but rather to put the matter into an appropriate contextual scale and not be used as a justification not to explore reaching a wider, global audience with IDN, where they might be hobbling growth of their goods or services having wider international consumers. See if my redline helps - and treat it like a buffet - just put the stuff on your tray that works for you... -Jothan Jothan Frakes Tel: +1.206-355-0230 On Wed, Apr 26, 2017 at 11:47 AM, <icann@rodrasmussen.com> wrote:
Resending from my mailing list “approved” address.
===============================
Edmon,
Greg Aaron and I will be publishing a long-overdue catch-up on these APWG studies within the next couple weeks. In it we will cover 2015 and 2016. In it we will cover the fact that the described homograph attack problem is virtually non-existent in real-world phishing attacks. In all of 2015, the various organizations contributing data to the APWG saw ONE true homographic attack, and in 2016, TWO. There were other uses of IDNs and mixed scripts that we’ll discuss, but there were just a handful. Phishers don’t need to mount homographic attacks to be successful, and I’d say that most of them don’t have the skills and/or motivation to do so. Ironically, the “buzz” about it that this article and coverage has created may actually get a few bad guys interested in exploring the concept. :-( That said, just like any other vulnerability or exploit that has low use but high potential for harm, being prudent about putting measures in place to limit risk and building understanding of those risks are still well worth pursuing, but this certainly isn’t an emergency that needs the “overheating” Andrei so appropriately mentioned. I’ll send a link to the paper once we get it published via the APWG.
Cheers,
Rod
On Apr 26, 2017, at 5:07 AM, Edmon Chung <edmon@registry.asia> wrote:
Should consider including reference to:
https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf Only 10 of the 42,624 domain names we studied were IDNs, and only one was a homographic attack.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf Eighty-two of the 82,163 domain names were internationalized domain names (IDNs), and none were homographic attacks.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf Seventy-eight of the 53,685 domain names were internationalized domain names (IDNs), and three of them were homographic attacks.
And this is certainly not a new issue:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web& cd=2&cad=rja&uact=8&ved=0ahUKEwjwwqzBhcLTAhWIVbwKHShHA 9kQFggtMAE&url=https%3A%2F%2Fwww.symantec.com%2Fcontent% 2Fdam%2Fsymantec%2Fdocs%2Fsecurity-center%2Farchives% 2Fintelligence-quarterly-oct-09-en.pdf&usg=AFQjCNGu8162_ PXXqnhfHjAQfSUAqYaEXw
www.symantec.com/content/en/us/enterprise/other_resources/ b-intelligence_report_08-2011.en-us.pdf
Edmon
*From:* ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org <ua-discuss-bounces@icann.org>] *On Behalf Of *Lars Steffen *Sent:* Wednesday, 26 April 2017 18:15 PM *To:* Andrei Kolesnikov <andrei@rol.ru>; Don Hollander < don.hollander@icann.org> *Cc:* Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Subject:* Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars
*Von:* ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org <ua-discuss-bounces@icann.org>] *Im Auftrag von *Andrei Kolesnikov *Gesendet:* Mittwoch, 26. April 2017 12:06 *An:* Don Hollander <don.hollander@icann.org> *Cc:* Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Betreff:* Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes.
I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) --andrei
2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org>:
I would expect a fair number of ccTLDs where it could be an issue as well.
Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru?
D
On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks. *Dr. Ajay DATA* * | Founder & CEO * Get email id like *अजय@डाटा.भारत <%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c>* in your own language, visit www.xgenplus.com
------------------------------
*From:* Andrei Kolesnikov <andrei@rol.ru> MailId : [68484721] *To:* Don Hollander <don.hollander@icann.org> *Cc:* "Dr. AJAY D A T A" <ajay@data.in>,tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns *Date:* 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin.
In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org>:
Hi Andrei:
What about at the ccTLD? idn.ru? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...>
Basically most of the confusing cases discussed above are from .com --andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in>:
Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
*Dr. Ajay DATA* * | Founder & CEO * Get email id like *अजय@डाटा.भारत <%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c>* in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...>
------------------------------ *From:* "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org> MailId : [68456683] *To:* Don Hollander <don.hollander@icann.org>,"ua-discuss@icann.org" < ua-discuss@icann.org> *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns *Date:* 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks -Dennis
*From: *<ua-discuss-bounces@icann.org> on behalf of Don Hollander < don.hollander@icann.org> *Date: *Monday, April 24, 2017 at 5:40 PM *To: *"UA-discuss@icann.org" <ua-discuss@icann.org> *Subject: *[EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
*IDNs and Phishing: What You Need to Know* By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
------------------------------
------------------------------
[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID]<~WRD039.jpg> <~WRD039.jpg>
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
<~WRD039.jpg><~WRD039.jpg>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
FWIW, I think the redline is now a little too long. On Wed, Apr 26, 2017 at 03:20:02PM -0700, Jothan Frakes wrote:
To Lars' point, let's focus on the article and getting it out.
One of the things that will hurt our efforts in UA is ignoring market impacts of scaring people inappropriately or discouraging them from support or use of IDN.
We could benefit from a stronger message that matches more of what edmon and rod have identified with respect to the molecule-sized scale of the issue. Using real statistical data from trusted sources, if we can indicate that this issue does exist but is quite small in scale, and contrast it to other phishing techniques that are prevalent in non-IDN, we can hopefully reduce the fear appropriately.
I am not suggesting we tell people to ignore the homograph confusability potential, but rather to put the matter into an appropriate contextual scale and not be used as a justification not to explore reaching a wider, global audience with IDN, where they might be hobbling growth of their goods or services having wider international consumers.
See if my redline helps - and treat it like a buffet - just put the stuff on your tray that works for you...
-Jothan
Jothan Frakes Tel: +1.206-355-0230
On Wed, Apr 26, 2017 at 11:47 AM, <icann@rodrasmussen.com> wrote:
Resending from my mailing list “approved” address.
===============================
Edmon,
Greg Aaron and I will be publishing a long-overdue catch-up on these APWG studies within the next couple weeks. In it we will cover 2015 and 2016. In it we will cover the fact that the described homograph attack problem is virtually non-existent in real-world phishing attacks. In all of 2015, the various organizations contributing data to the APWG saw ONE true homographic attack, and in 2016, TWO. There were other uses of IDNs and mixed scripts that we’ll discuss, but there were just a handful. Phishers don’t need to mount homographic attacks to be successful, and I’d say that most of them don’t have the skills and/or motivation to do so. Ironically, the “buzz” about it that this article and coverage has created may actually get a few bad guys interested in exploring the concept. :-( That said, just like any other vulnerability or exploit that has low use but high potential for harm, being prudent about putting measures in place to limit risk and building understanding of those risks are still well worth pursuing, but this certainly isn’t an emergency that needs the “overheating” Andrei so appropriately mentioned. I’ll send a link to the paper once we get it published via the APWG.
Cheers,
Rod
On Apr 26, 2017, at 5:07 AM, Edmon Chung <edmon@registry.asia> wrote:
Should consider including reference to:
https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf Only 10 of the 42,624 domain names we studied were IDNs, and only one was a homographic attack.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf Eighty-two of the 82,163 domain names were internationalized domain names (IDNs), and none were homographic attacks.
https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf Seventy-eight of the 53,685 domain names were internationalized domain names (IDNs), and three of them were homographic attacks.
And this is certainly not a new issue:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web& cd=2&cad=rja&uact=8&ved=0ahUKEwjwwqzBhcLTAhWIVbwKHShHA 9kQFggtMAE&url=https%3A%2F%2Fwww.symantec.com%2Fcontent% 2Fdam%2Fsymantec%2Fdocs%2Fsecurity-center%2Farchives% 2Fintelligence-quarterly-oct-09-en.pdf&usg=AFQjCNGu8162_ PXXqnhfHjAQfSUAqYaEXw
www.symantec.com/content/en/us/enterprise/other_resources/ b-intelligence_report_08-2011.en-us.pdf
Edmon
*From:* ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org <ua-discuss-bounces@icann.org>] *On Behalf Of *Lars Steffen *Sent:* Wednesday, 26 April 2017 18:15 PM *To:* Andrei Kolesnikov <andrei@rol.ru>; Don Hollander < don.hollander@icann.org> *Cc:* Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Subject:* Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Hi all, A general reply to this thread: Can we agree on the current version of the blog post to be published asap before we continue the discussion…? Thank you, Lars
*Von:* ua-discuss-bounces@icann.org [mailto:ua-discuss-bounces@icann.org <ua-discuss-bounces@icann.org>] *Im Auftrag von *Andrei Kolesnikov *Gesendet:* Mittwoch, 26. April 2017 12:06 *An:* Don Hollander <don.hollander@icann.org> *Cc:* Dr. AJAY D A T A <ajay@data.in>; tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Betreff:* Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Dusan gave us great overview of different ccTLD which ICANN has very little control. However most of the cc registries carry the mitigation process to bring down malicious domain names used explicitly for bad purposes.
I definitely don't support overheating the problem. If cross-script attack reaches the level of Kaminsky attack hysteria, we are in deep trouble :) --andrei
2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander@icann.org>:
I would expect a fair number of ccTLDs where it could be an issue as well.
Andrei: What about ccTLDs in other Cyrillic script communities? Have they taken the same precautions as .ru?
D
On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay@data.in> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks. *Dr. Ajay DATA* * | Founder & CEO * Get email id like *अजय@डाटा.भारत <%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c>* in your own language, visit www.xgenplus.com
------------------------------
*From:* Andrei Kolesnikov <andrei@rol.ru> MailId : [68484721] *To:* Don Hollander <don.hollander@icann.org> *Cc:* "Dr. AJAY D A T A" <ajay@data.in>,tan tanakadennis via ua-discuss < ua-discuss@icann.org> *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns *Date:* 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin.
In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org>:
Hi Andrei:
What about at the ccTLD? idn.ru? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=D...>
Basically most of the confusing cases discussed above are from .com --andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in>:
Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
*Dr. Ajay DATA* * | Founder & CEO * Get email id like *अजय@डाटा.भारत <%E0%A4%85%E0%A4%9C%E0%A4%AF@xn--c2bd1gb.xn--h2brj9c>* in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...>
------------------------------ *From:* "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org> MailId : [68456683] *To:* Don Hollander <don.hollander@icann.org>,"ua-discuss@icann.org" < ua-discuss@icann.org> *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns *Date:* 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks -Dennis
*From: *<ua-discuss-bounces@icann.org> on behalf of Don Hollander < don.hollander@icann.org> *Date: *Monday, April 24, 2017 at 5:40 PM *To: *"UA-discuss@icann.org" <ua-discuss@icann.org> *Subject: *[EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
*IDNs and Phishing: What You Need to Know* By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
------------------------------
------------------------------
[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID]<~WRD039.jpg> <~WRD039.jpg>
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
<~WRD039.jpg><~WRD039.jpg>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
-- Andrew Sullivan ajs@anvilwalrusden.com
There is .ws where most anything can be registered eg http://🍺<http://%F0%9F%8D%BA>.ws André Schappo On 26 Apr 2017, at 10:40, Dr.AJAY D A T A <ajay@data.in<mailto:ajay@data.in>> wrote: Exactly Andrie. Thank you for confirming the same. I confirmed with .pyc registry (we enabled EAI on почта.рус<x-msg://3/%D0%BF%D0%BE%D1%87%D1%82%D0%B0.%D1%80%D1%83%D1%81>) also and they are not allowed (as per agreement) to use any other script other than Cyrillic. So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language, visit www.xgenplus.com<http://www.xgenplus.com/> ________________________________ From: Andrei Kolesnikov <andrei@rol.ru<mailto:andrei@rol.ru>> MailId : [68484721] To: Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>> Cc: "Dr. AJAY D A T A" <ajay@data.in<mailto:ajay@data.in>>,tan tanakadennis via ua-discuss <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains. --andrei 2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>>: Hi Andrei: What about at the ccTLD? idn.ru<http://idn.ru/>? Does .ru also allow ASCII? Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic? D On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru<mailto:andrei@rol.ru>> wrote: most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=Aumtm9oLaw_1FAQZ4MvKpmNHj3khbV5zlM_VGiARFFQ&e=> Basically most of the confusing cases discussed above are from .com --andrei 2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in<mailto:ajay@data.in>>: Hello Don, Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved. Thanks. Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language, visit www.xgenplus.com[xgenplus.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...> ________________________________ From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> MailId : [68456683] To: Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>>,"ua-discuss@icann.org<mailto:ua-discuss@icann.org>" <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM Don, my comments enclosed Thanks -Dennis From: <ua-discuss-bounces@icann.org<mailto:ua-discuss-bounces@icann.org>> on behalf of Don Hollander <don.hollander@icann.org<mailto:don.hollander@icann.org>> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org<mailto:UA-discuss@icann.org>" <ua-discuss@icann.org<mailto:ua-discuss@icann.org>> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others. We want to get feedback from the community on this document by Thursday UTC. So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group. Don IDNs and Phishing: What You Need to Know By TBD at UASG Internationalized Domain Names[icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack. Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts[1] within a domain name label. While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites. Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech]<https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year. The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech]<https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=fHMruCNtXCtlHyAJqUQ0xMY3bJLSKhk8h77uH_2ctvk&e=> or get in touch[uasg.tech]<https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more. ________________________________ ________________________________ [1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system. Do not Remove: [HID]20170425182821379[-HID] -- Andrey Kolesnikov RIPN.NET[RIPN.NET]<https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...> Don Hollander Universal Acceptance Steering Group Skype: don_hollander -- Andrey Kolesnikov RIPN.NET<http://ripn.net/>
Facebook, though does not allow this kind of URLs so far it converts http://xn--xj8h.ws/ <http://xn--xj8h.ws/> in post to invalid.invalid Sincerely Yours, Maxim Alzoba Special projects manager, International Relations Department, FAITID m. +7 916 6761580(+whatsapp) skype oldfrogger Current UTC offset: +3.00 (.Moscow)
On Apr 27, 2017, at 15:04, Andre Schappo <A.Schappo@lboro.ac.uk> wrote:
There is .ws where most anything can be registered eg http://🍺 <http://%f0%9f%8d%ba/>.ws
André Schappo
On 26 Apr 2017, at 10:40, Dr.AJAY D A T A <ajay@data.in <mailto:ajay@data.in>> wrote:
Exactly Andrie. Thank you for confirming the same.
I confirmed with .pyc registry (we enabled EAI on почта.рус <x-msg://3/%D0%BF%D0%BE%D1%87%D1%82%D0%B0.%D1%80%D1%83%D1%81>) also and they are not allowed (as per agreement) to use any other script other than Cyrillic.
So basically it looks like .com problem. Any other examples other than .com ? It narrows down the problem to solve.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language, visit www.xgenplus.com <http://www.xgenplus.com/> From: Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> MailId : [68484721] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Cc: "Dr. AJAY D A T A" <ajay@data.in <mailto:ajay@data.in>>,tan tanakadennis via ua-discuss <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 26 Apr 2017 02:16:05 PM
Don, there is no such thing as IDN at .RU - only ascii allowed - we understood the problem long time ago due to similarity of many Cyrillic letters with Latin. In IDN .РФ in Russia only Cyrillic allowed. This definitely must be the rule for registries. Or some kind of immediate mitigation service to bring down dangerous domains.
--andrei
2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>: Hi Andrei:
What about at the ccTLD? idn.ru <http://idn.ru/>? Does .ru also allow ASCII?
Does the .ru registry, for example, do anything to address homoglyphs between ascii and cyrillic?
D
On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei@rol.ru <mailto:andrei@rol.ru>> wrote:
most use of idn.ascii gTLD as far as I know is .com for example http://путин.com/[xn--h1akeme.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=Aumtm9oLaw_1FAQZ4MvKpmNHj3khbV5zlM_VGiARFFQ&e=>Basically most of the confusing cases discussed above are from .com
--andrei
2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay@data.in <mailto:ajay@data.in>>: Hello Don,
Which all registries are allowed to register mix of scripts domain while registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do not allow mix of scripts. I think we address those registries through ICANN by modifying the registry agreement, major problem can be solved.
Thanks.
Dr. Ajay DATA | Founder & CEO Get email id like अजय@डाटा.भारत in your own language, visit www.xgenplus.com[xgenplus.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMF...> From: "Tan Tanaka,Dennis via UA-discuss" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> MailId : [68456683] To: Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>>,"ua-discuss@icann.org <mailto:ua-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: Re: [UA-discuss] UASG Response to WordFence IDN Phishing concerns Date: 25 Apr 2017 06:28:22 PM
Don, my comments enclosed
Thanks
-Dennis
From: <ua-discuss-bounces@icann.org <mailto:ua-discuss-bounces@icann.org>> on behalf of Don Hollander <don.hollander@icann.org <mailto:don.hollander@icann.org>> Date: Monday, April 24, 2017 at 5:40 PM To: "UA-discuss@icann.org <mailto:UA-discuss@icann.org>" <ua-discuss@icann.org <mailto:ua-discuss@icann.org>> Subject: [EXTERNAL] [UA-discuss] UASG Response to WordFence IDN Phishing concerns
Further to recent discussion on this list, we have drafted a document that we plan on posting as a Blog Post to the UASG Web site that can be referenced by others.
We want to get feedback from the community on this document by Thursday UTC.
So, here it is – pasted below and as a word document in case you want to enable tracking and make amendments. If you have comments or suggestions, please share them to this group.
Don
<>IDNs and Phishing: What You Need to Know
By TBD at UASG
Internationalized Domain Names[icann.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources...> (IDNs) are growing in popularity, a testament to their role in the expansion of the global Internet and the value they provide in connecting non-English speakers to the Web. However, you may have noticed a renewed focus over the past week of a script mixing technique that phishing scammers could potentially use to trick Internet users into visiting malicious websites. This phishing method takes advantage of the fact that characters from various languages and scripts are sometimes visually similar to each other. For example, the Cyrillic “а” and the ASCII[en.wikipedia.org] <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_A...> “a” look virtually identical. This technique is known as a homograph attack.
Homographic phishing efforts associated with IDNs are not new. In fact, they date back to the early 2000s. Registries have since implemented policies that preclude mixing scripts <>[1] within a domain name label.
While this issue should be taken seriously and serves as an important reminder of consumer safety, various IDN and anti-abuse groups are actively working to mitigate potential threats, and there are already certain browser-set protections in place. In the meantime, Internet users should practice the same basic security hygiene that is always recommended: avoid clicking suspicious links, and use a good password manager that will only enter login credentials on trusted sites.
Equally important is to recognize the benefits of IDNs and avoid disabling them, which could lead to an unpredictable user experience and eventually a decrease in adoption. IDNs are essential in bringing non-English speakers – the majority of the world’s population – online, and allowing those users to create their own highly relevant online identities as well as navigate the Internet in their native languages. In addition to the social and cultural benefits of IDNs, they also represent a significant economic opportunity; a recent report[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d...> commissioned by the Universal Acceptance Steering Group (UASG) found that online spending from new IDN users could start at USD 6.2 billion per year.
The UASG’s mission is to help software developers and website owners keep pace with the evolving Domain Name System (DNS) – and this includes issues around the adoption and acceptance of IDNs. If you’d like to get involved in helping work toward a solution to this and other IDN-related issues, please visit https://uasg.tech/[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=F...> or get in touch[uasg.tech] <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=Dw...> to learn more.
<>[1] Exceptions are practiced for languages with established orthographies and conventions that require the commingled use of multiple scripts, e.g. the Japanese writing system.
Do not Remove: [HID]20170425182821379[-HID]
-- Andrey Kolesnikov RIPN.NET[RIPN.NET] <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1...>
Don Hollander Universal Acceptance Steering Group Skype: don_hollander
-- Andrey Kolesnikov RIPN.NET <http://ripn.net/>
participants (12)
-
Andre Schappo -
Andrei Kolesnikov -
Andrew Sullivan -
Don Hollander -
Dr. AJAY D A T A -
Dusan Stojicevic -
Edmon Chung -
icann@rodrasmussen.com -
Jothan Frakes -
Lars Steffen -
Maxim Alzoba -
Rod Rasmussen