Is this a homograph attack?
Yes that's a homograph attack
Unicode Character 'LATIN SMALL LETTER A WITH DOT BELOW' (U+1EA1)
Adidas have no reason to use that character in any of their domains.
Adidas are a German company and the underdot is not used in German.
When part of a hostname contains a non-ASCII character (such as this), the browser converts that element to IDNA encoding. So the actual DNS lookup is www.xn--adids-m11b.com
You can easily check this using wireshark or tcpdump and then clicking your URL http://www.adidạs.com/ in a web-browser.
The real Adidas use content delivery networks, including Akamai, as do many other large organisations
> host www.adidas.com
www.adidas.com is an alias for chinacdn.ev.adidas.edgekey.net.
chinacdn.ev.adidas.edgekey.net is an alias for e2828.a.akamaiedge.net.
e2828.a.akamaiedge.net has address 2.19.150.110
This fake lot don't
> host www.xn--adids-m11b.com
www.xn--adids-m11b.com has address 104.27.180.65
www.xn--adids-m11b.com has address 104.27.181.65
www.xn--adids-m11b.com has IPv6 address 2400:cb00:2048:1::681b:b541
www.xn--adids-m11b.com has IPv6 address 2400:cb00:2048:1::681b:b441
This leads to what is probably some sort of scam or virus dump
> wget -S -O - www.xn--adids-m11b.com
--2018-02-03 18:21:54-- http://www.xn--adids-m11b.com/
Resolving www.xn--adids-m11b.com... 104.27.180.65, 104.27.181.65, 2400:cb00:2048:1::681b:b541, ...
Connecting to www.xn--adids-m11b.com|104.27.180.65|:80... connected.
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Sat, 03 Feb 2018 18:21:56 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=de9ae099750b5ca0fa59df2255aefedbd1517682116; expires=Sun, 03-Feb-19 18:21:56 GMT; path=/; domain=.xn--adids-m11b.com; HttpOnly
Last-Modified: Sat, 03 Feb 2018 14:23:22 GMT
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 3e7769a9b00c348e-LHR
Length: unspecified [text/html]
Saving to: 'STDOUT'
<script type="text/javascript">
<!--
window.location = "http://xn--adids-m11b.com/shoes/"
//-->
</script>
<!DOCTYPE html>
<head>
<meta property="og:image" content="images/logo.png" />
<meta property="og:title" content="Adidas is giving away 5000 Free Pair of Shoes to celebrate its 93rd anniversary" />
<script src="s4.min.js"></script>
...
Related videos on Youtube
Ben Druno
Updated on September 18, 2022Comments
-
Ben Druno about 1 year
I got a link of addidas website showing some offers. But when i had a close look, the address have some suspicious difference. www-adidạs-com here 'a' is different. Is this a homograph attack? http://www.adidạs.com/
-
Ravindra Bawane almost 6 yearsLooks like one. Look up the DNS entries for that URL to see how their records compare with the real adidas site.
-
Ben Druno almost 6 yearsHow to lookup DNS entries of a url? Also i can't traceroute or whois lookup for this url. It says 'Failed to resolve url"
-
Ben Druno almost 6 yearsHow to lookup DNS entries for records?
-
-
Ben Druno almost 6 yearsBut,how can someone run a website with this Domain? I can't do whois lookup for this. It is showing "failed to resolve url"
-
user5249203 almost 6 years@Ben - see updated answer
-
Ben Druno almost 6 yearsSo, even though the domain have non ASCII characters, it will convert to IDNA. So a domain name can have some sort of special characters too?
-
user5249203 almost 6 years@Ben Yes, when first invented, DNS was ASCII only, nowadays, through IDNA and so on, DNS has been upgraded to support Unicode. DNS registries and browsers implement measures to mitigate against spoofing using homographs - which is probably why this URL's server ultimately redirects the client to a different URL.