Is this a homograph attack?

5,741

Yes that's a homograph attack

Unicode Character 'LATIN SMALL LETTER A WITH DOT BELOW' (U+1EA1)

Adidas have no reason to use that character in any of their domains.

Adidas are a German company and the underdot is not used in German.


When part of a hostname contains a non-ASCII character (such as this), the browser converts that element to IDNA encoding. So the actual DNS lookup is www.xn--adids-m11b.com

You can easily check this using wireshark or tcpdump and then clicking your URL http://www.adidạs.com/ in a web-browser.

The real Adidas use content delivery networks, including Akamai, as do many other large organisations

> host www.adidas.com
www.adidas.com is an alias for chinacdn.ev.adidas.edgekey.net.
chinacdn.ev.adidas.edgekey.net is an alias for e2828.a.akamaiedge.net.
e2828.a.akamaiedge.net has address 2.19.150.110

This fake lot don't

> host www.xn--adids-m11b.com
www.xn--adids-m11b.com has address 104.27.180.65
www.xn--adids-m11b.com has address 104.27.181.65
www.xn--adids-m11b.com has IPv6 address 2400:cb00:2048:1::681b:b541
www.xn--adids-m11b.com has IPv6 address 2400:cb00:2048:1::681b:b441

This leads to what is probably some sort of scam or virus dump

> wget -S -O - www.xn--adids-m11b.com 
--2018-02-03 18:21:54--  http://www.xn--adids-m11b.com/
Resolving www.xn--adids-m11b.com... 104.27.180.65, 104.27.181.65, 2400:cb00:2048:1::681b:b541, ...
Connecting to www.xn--adids-m11b.com|104.27.180.65|:80... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 200 OK
  Date: Sat, 03 Feb 2018 18:21:56 GMT
  Content-Type: text/html
  Transfer-Encoding: chunked
  Connection: keep-alive
  Set-Cookie: __cfduid=de9ae099750b5ca0fa59df2255aefedbd1517682116; expires=Sun, 03-Feb-19 18:21:56 GMT; path=/; domain=.xn--adids-m11b.com; HttpOnly
  Last-Modified: Sat, 03 Feb 2018 14:23:22 GMT
  Accept-Ranges: bytes
  Server: cloudflare
  CF-RAY: 3e7769a9b00c348e-LHR
Length: unspecified [text/html]
Saving to: 'STDOUT'

<script type="text/javascript">
<!--
window.location = "http://xn--adids-m11b.com/shoes/"
//-->
</script>
<!DOCTYPE html>
<head>

<meta property="og:image" content="images/logo.png" />
<meta property="og:title" content="Adidas is giving away 5000 Free Pair of Shoes to celebrate its 93rd anniversary" />
<script src="s4.min.js"></script>
...
Share:
5,741

Related videos on Youtube

Ben Druno
Author by

Ben Druno

Updated on September 18, 2022

Comments

  • Ben Druno
    Ben Druno about 1 year

    I got a link of addidas website showing some offers. But when i had a close look, the address have some suspicious difference. www-adidạs-com here 'a' is different. Is this a homograph attack? http://www.adidạs.com/

    • Ravindra Bawane
      Ravindra Bawane almost 6 years
      Looks like one. Look up the DNS entries for that URL to see how their records compare with the real adidas site.
    • Ben Druno
      Ben Druno almost 6 years
      How to lookup DNS entries of a url? Also i can't traceroute or whois lookup for this url. It says 'Failed to resolve url"
    • Ben Druno
      Ben Druno almost 6 years
      How to lookup DNS entries for records?
  • Ben Druno
    Ben Druno almost 6 years
    But,how can someone run a website with this Domain? I can't do whois lookup for this. It is showing "failed to resolve url"
  • user5249203
    user5249203 almost 6 years
    @Ben - see updated answer
  • Ben Druno
    Ben Druno almost 6 years
    So, even though the domain have non ASCII characters, it will convert to IDNA. So a domain name can have some sort of special characters too?
  • user5249203
    user5249203 almost 6 years
    @Ben Yes, when first invented, DNS was ASCII only, nowadays, through IDNA and so on, DNS has been upgraded to support Unicode. DNS registries and browsers implement measures to mitigate against spoofing using homographs - which is probably why this URL's server ultimately redirects the client to a different URL.