Recently Donuts Inc. was made aware of independent findings about a potential security vulnerability in the gTLD space. Matt Hamilton of Soluble.ai highlighted the ability to register lookalike or homograph .COM domain names. Hamilton was able to register potentially malicious names, including domain names that mimic global consumer brands, using homographs. After being notified of the vulnerability, Verisign took action to combat its exploitation by removing three potentially confusing characters from their Latin script table.
Donuts applauds the steps taken toward addressing homograph abuse. The malicious use of homographs is especially relevant with the spread of the Coronavirus. As seen with past natural disasters and the ensuing panic, phishing attacks are already being used to redirect funds meant for Coronavirus relief efforts. The World Health Organization receives reports of virus-related phishing attempts daily (Wall Street Journal, 3/4/20). We believe this is a crucial time to gain more industry consensus around the best ways to thwart this dangerous behavior while facilitating the legitimate use of Internationalized Domain Names (IDNs).
We are encouraged to see our industry peers taking action as new light is shed on domain industry vulnerabilities. However, it’s important to understand that not all mitigation measures are equal in their effectiveness to prevent phishing attacks and other fraudulent behavior.
Since its inception, Donuts has recognized the need to prevent and take action against abusive domain name registrations, many of which prey on online communities. Donuts delivers proactive protective solutions through our Domains Protected Marks List, DPML, which today protects 3,500 of the world’s largest consumer brands. In 2018, Donuts enhanced DPML to include logic that prevents the registration of malicious homograph internationalized domain names for the entirety of Unicode’s Confusables table, including Latin, Greek, and Cyrillic scripts.
Today, that table contains more than 6,000 potentially confusing characters, 80 of which appear in both Donuts and Verisign’s ICANN approved Latin script tables. Thus, one can see that the issue stretches beyond the three characters identified by Soluble.ai.
To illustrate the need for an expanded approach, consider one of the names highlighted in the Soluble research study. For the term “Google,” the recent mitigation effort protects 7 potentially malicious domain permutations, whereas Donuts’ homograph detection identifies and protects 479 permutations of the same name, a sample of five of these permutations are included in the table below.
So, why not remove all confusable characters from script tables?
Even though some characters have the potential to be adopted for malicious use, the characters themselves are not inherently dangerous. There are many legitimate use cases for these characters and removing them altogether would leave multiple localized alphabets incomplete. For example, the “dotless i” Unicode character “ı” (U+0131) is one of the most commonly used malicious character substitutions for IDN homographs. However, in regular language expressions, this character has valid uses in Turkish, Kazakhand, and Azerbaijani. These languages treat the dotted & dotless “i” as separate characters in their alphabet, and outright removal would prevent full localization of those languages online.
Donuts recognizes that while large brands have resources to enforce trademarks, individuals and brands of all sizes need protection. For this reason, we are working to expand homograph security coverage so that brands, individuals, and the rest of our community are better protected from day one.
Donuts plans to roll out comprehensive, sustainable homograph protection by the middle of 2020. This algorithmic blocking product will be applied to all existing and future domain registrations. During the development process, the Donuts compliance team will be working closely with all registrar partners to remove existing malicious homographic registrations in the Donuts name space. Additionally, any attempts to register new malicious homographs in the interim will be identified and resolved in a timely manner.
From enhancing solutions to prevent homographic domain registrations, to establishing a framework to address domain abuse, Donuts is working to mitigate vulnerability from all angles and to reduce harm to individuals and communities online. We look forward to working with others in the industry to do the same.
