Home > Tech > Tech Industry

Major domain name bug allowed hackers to register malicious domains

Always double check that URL.
By Matt Binder  on 
Share on Facebook Share on Twitter Share on Flipboard
Major domain name bug allowed hackers to register malicious domains
A recently discovered bug affecting what domain names could be registered left a huge opening for malicious actors looking to scam people. Credit: Getty Images/iStockphoto

Thanks to a bug at some of the internet’s largest domain registrars, bad actors were able to register malicious domains until just late last month.

If I told you to click this on this URL, amɑzon.com, and login for a great limited time deal over at Amazon, would you notice it wasn’t really Amazon’s domain name?

Hover over it, give it a click. You’ll find that it actually directs you to xn--amzon-1jc.com. Why? Look closely and you’ll notice that the second “a” and the “o” aren’t actually the letters “a” and “o” from the Latin alphabet, which is what’s used in the English language.

It’s not supposed to be possible to register these domain names due to the malicious attacks they could be used for. Many web browsers change the characters in the URL from Unicode to Punycode, as seen in the earlier example, for that very reason.

The zero-day, or previously unknown, bug was discovered by Matt Hamilton, a security researcher at Soluble, in partnership with the security firm Bishop Fox.

According to Hamilton’s research, he was able to register dozens of names using Latin homoglyphs, basically a character that looks like another character. Verisign, Google, Amazon, DigitalOcean, and Wasabi were among the affected companies allowing the registration of these names.

“Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates,” writes Hamilton. “This included prominent financial, internet shopping, technology, and other Fortune 100 sites. There is no legitimate or non-fraudulent justification for this activity.”

Hamilton held his report for publication until Verisign, the company that runs the domain registries for prominent general top level domain (gTLD) extensions like .com and .net, fixed the issue. The research was only conducted on gTLDs run by Verisign. He states that among all the vendors he contacted, Amazon and Verisign in particular took the issue very seriously.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

In the Cyrillic alphabet specifically, there are a number of letters that look nearly identical to letters in the Latin alphabet. For example, here’s the character for “a” in Latin. Here’s the character for “ɑ” in Cyrillic.

Combining these homoglyph characters with the Latin alphabet in a domain name could create a URL that looks very much like one that’s already registered by another company, such as fake Amazon domain mentioned earlier.

Hackers could use these domain names to create phishing websites that look like legitimate sites for services like Gmail or PayPal. The attack could steal a users website password or credit card information using this information.

Hamilton was able to register the following domain names thanks to this bug:

amɑzon.com

chɑse.com

sɑlesforce.com

ɡmɑil.com

ɑppɩe.com

ebɑy.com

ɡstatic.com

steɑmpowered.com

theɡuardian.com

theverɡe.com

washinɡtonpost.com

pɑypɑɩ.com

wɑlmɑrt.com

wɑsɑbisys.com

yɑhoo.com

cɩoudfɩare.com

deɩɩ.com

gmɑiɩ.com

gooɡleapis.com

huffinɡtonpost.com

instaɡram.com

microsoftonɩine.com

ɑmɑzonɑws.com

ɑndroid.com

netfɩix.com

nvidiɑ.com

ɡoogɩe.com

In total, he spent $400 to register the domain names that could be used to scam people out of much, much more.

Internationalized domain names, or IDNs, have become popular in recent years. These domains allow users around the world to register names using their native language, such as Greek or Japanese, where you may find non-Latin characters.

However, malicious actors quickly discovered ways to use IDNs for attacks.

SEE ALSO: Rudy Giuliani's typo-filled tweets are catnip for hackers spreading malware

As Bleeping Computer points out, the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that manages the web's domain name system, has IDN guidelines state that domain registrars should not allow domains be registered using a combination of different alphabets for this very reason.

It's not a new practice, though. The Register notes how homograph attacks have been an issue for the web for 15 years.

As for amɑzon.com, or should I say xn--amzon-1jc.com, Hamilton has since transferred the domain to Amazon, the company that can be found at the real amazon.com.

Related Video: Beware of cybercriminals who are taking advantage of coronavirus fears with fake websites and phishing schemes

Topics Cybersecurity

Recommended For You
Gear up for the new year with an Apple M2 Mac mini at its lowest price yet
By Brittany Vincent
Apple Mac Mini on colorful abstract background
50+ of the best Cyber Monday monitor deals
By Haley Henschel
the razer raptor 27 against a shadowy rainbow background
50+ of the best early Cyber Monday monitor deals
By Haley Henschel
the razer raptor 27 against a shadowy rainbow background
50+ of the best Black Friday monitor deals
By Haley Henschel
the razer raptor 27 against a shadowy rainbow background
50+ Black Friday monitor deals, from home office models to curved gaming displays
By Haley Henschel
the razer raptor 27 against a shadowy rainbow background
More in Tech
How to watch NBA live streams online for free
By Joseph Green
Giannis Antetokounmpo of the Milwaukee Bucks dunks
How to watch Sunriders Hyderabad vs. Royal Challengers Bengaluru online for free
By Lois Mackenzie
Sunrisers Hyderabad's Washington Sundar celebrating with team mates
How to watch Sydney Sweeney in 'Immaculate' at home: When is it streaming?
By Christina Buff
Sydney Sweeney in 'Immaculate' movie
How to watch Delhi Capitals vs. Gujarat Titans online for free
By Lois Mackenzie
Delhi Capitals' Mukesh Kuma and teammates
Grab 'Star Wars Jedi: Fallen Order' for $5 at PlayStation ahead of May the 4th
By Leah Stodart
Screen grab from gameplay of "Star Wars Jedi: Fallen Order" video game featuring main character holding lightsaber looking at scenic view
Trending on Mashable
NYT Connections today: See hints and answers for April 25
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Wordle today: Here's the answer and hints for April 25
By Mashable Team
a phone displaying Wordle
NYT's The Mini crossword answers for April 25
By Mashable Team
Closeup view of crossword puzzle clues
NYT Connections today: See hints and answers for April 24
By Mashable Team
A phone displaying the New York Times game 'Connections.'
New vivid images show why this is dubbed Mars' 'Inca City'
By Elisha Sauers
German space agency camera photographing Mars' formation
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!