Olivier van der Toorn

The possibility to include Unicode characters in domain names allows users to
deal with domains in their regional languages. This is done by introducing
Internationalized Domain Names (IDN). However, the visual similarity between
different Unicode characters - called homoglyphs - is a potential security
threat, as visually similar domain names are often used in phishing attacks.
Timely detection of suspicious homograph domain names is an important step
towards preventing sophisticated attacks, since this can prevent unaware users
to access those homograph domains that actually carry malicious content. We
therefore propose a structured approach to identify suspicious homograph domain
names based not on use, but on characteristics of the domain name itself and
its associated DNS records. To achieve this, we leverage the OpenINTEL active
DNS measurement platform, which performs a daily snapshot of more than 65% of
the DNS namespace. In this paper, we first extend the existing Unicode
homoglyph tables (confusion tables). This allows us to detect on average 2.97
times homograph domains compared to existing tables. Our proactive detection of
suspicious IDN homograph domains provides an early alert that would help both
domain owners as well as security researchers in preventing IDN homograph
abuse.


Title A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements
Authors Ramin Yazdani, Olivier van der Toorn, and Anna Sperotto
Publication date September 2020
Journal 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)