Back in 2016, I ran into a post about someone buying ɢoogle.com.

It was used for phishing proposes (notice the first G).

Homographic characters look like ASCII letters, but their encoding is different, in a way that is usually not noticeable for the human eye.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

From a conversation I had with Google:

The use of homographics (i.e., Google with a facsimile G) might not fool everyone, but depending on the strategy employed, might run into challenges with security, networking, and other systems.

I wondered to myself:

There are new top-level-domains every year.

Did the world learn from the ɢoogle.com acquisition? How hard is it to create a good Google Phishing website from scratch? Can I obtain an SSL Certificate for this domain? Do Google monitor any ‘ɢoogle’ homographic domains registrations? Can I buy it through Google Domains? Will domain registrars suggest anything? Can I make a successful Man-In-The-Middle attack between a Google user and Google’s servers?

I shared it because I care.

Please use this for educational purposes only.

So, What top-level domains are up for sale?

It wasn’t hard to find some available ɢoogle domains.

Just search for ‘ɢoogle’ in any domain registrar, e.g Google Domains, NameCheap and GoDaddy.

I bought the following domains:

These domains were auto-suggested, I didn’t even need to be creative with them. Google Domains suggested ‘ɢoogletranslate.com’ for me! The price is great, by the way…

And it worked…

I used a fake identity for the entire procedure, with “Not Google :)” as the organization name:

Setting up the phishing website with an SSL certificate

Launch a VPS in the cloud (AWS, Google Cloud, Azure, etc.) Route the DNS to that server. Install Nginx/Apache HTTP server. Request a LetsEncrypt certificate (Yes, I was able to get an SSL certificate from LetsEncrypt for these domains).

sudo certbot — nginx certonly — dry-run -d “xn — oogletranslate-u5f.com” Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Cert not due for renewal, but simulating renewal for dry run

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for xn — oogletranslate-u5f.com

Waiting for verification…

Cleaning up challenges IMPORTANT NOTES:

— The dry run was successful.

Then, All we need to do in order to view the client’s traffic with “Google”, is set up the nginx configuration with proxy:

server {

location / {

proxy_pass https://translate.google.com/;

add_header NOT-GOOGLE-HEADER OK;

}

...

}

You can notice I added an HTTP header for every response google send back:

NOT-GOOGLE-HEADER OK # You can check it in your browser's dev tools.

Now, one can use https:// links to gain trust, while providing malicious content.

Take a look at this link, that redirects you through medium to my baby born phishing domain, ɢoogletranslate.com:

The great thing about using a proxy is that my domain’s links previews, in every single platform, fetches Google Translate’s exact description while pointing to my link. Take a look at Whatsapp, for example.

The Result

Setup in minutes, no coding.

Cool, Huh?

As you can see, chrome shows this domain as ‘Secure’ (Lock icon).

On mobile phones, the ‘ɢ’ in my domain looks like an actual ‘G’.

Google’s javascript runs normally from my domain. Google’s JS does everything for me — I don’t even need to work on mimicking the Google service.

Getting Some Traffic

With some social engineering we can make users click on these domains and gain organic traffic with very little effort, thus proving the ability of this attack.

I wanted to post some links/threads in security oriented websites in order to prove that even security-aware people may be misled by these domains.

Some previews look better, some make it less attractive because of the homographics characters url quoting.

Examples from Reddit and Hacker News:

Eventually, without much work, I ended up with hundreds of unique visitors (excluding the bots and security scanners or the platforms in which I posted).

What can we do to a visitor?

It looks and acts just like any google single page application.

As explained in the link, I am making the SSL handshake with the user.

The original google application is served, it functions an expected, but I am exposed to the user’s traffic with the domain. Therefore, I can change the body of google’s response. This is a Man-in-the-middle Attack, that leverages IDN Homographic attack to get some traction.

The most precious piece of data we want to lay our hand on, is probably, login credentials or tokens.

Google uses the domain accounts.google.com for authentication.

I can, for example, override all the <a> tags in the HTML. Instead of pointing them to a subdomain in google.com (e.g accounts.google.com) we can point them to a custom phishing login page, within ɢoogletranslate.com domain.

We can steal the user’s login credentials to Google by overriding the links within the page, and pointing them to to accounts.ɢoogletranslate.com (The sign-in button’s HTML tag’s href attribute).

One can also inject a malicious <script> tag in the HTTP body and execute javascript/other code on the client’s browser.

A majority of the user agents that visited the links were old browsers that haven’t been updated for a long time.

Many of the Chrome, Firefox and Safari user agent from my access logs are devices which are vulnerable to 1 day attacks (including sandbox escape).

What can be done in order to prevent these kind of attacks?

Be suspicious of uppercase/weird letters inside domains in links. In 2016 the same thing happened with ɢoogle.com, yet ‘ɢoogle’ top-level domains are still up for sale. ɢoogle.com, is blacklisted — but it is not the right way to fix it. Every domain that contains the word “ɢoogle”, or even “oogle”, should be banned by domain registrars and browsers. Auto Suggested domains in Google Domains and other domain registrars helps Social Engineering attacks — they don’t even need to come up with the name for the domain. 🤦🏻‍♂️ The ability to request an SSL certificate from LetsEncrypt with homographics domains. Translate.google.com’s javascript runs on the page, while it is served under ɢoogletranslate.com. The javascript should check that (window.location should be a legit Google domain) and prevent the rest of the script from loading. The service can also return an HTTP error response, by verifying the Referrer of the request, which in our case, the referrer is: https://xn--oogletranslate-u5f.com/. For system admins — Implement rules in your IDS/IPS for a static analysis of your network traffic. Snort, Zeek (Bro) and Suricata have alerts and rules for homographic hosts. Make sure your set of rules is up-to-date. Malicious hosts are blacklisted all the time.

Google’s response

It wasn’t a surprise to me. Google took my security report seriously.

Thank you for the considerable material, the thought behind it, as well as the actual money used to secure those domain names in creating this report. Homographic attacks are always interesting in their social engineering application, but more challenging is deploying an attack that will trick not only the user, but also the infrastructure. There are some considerations with your submission…

We’re still discussing it actually. I have some attacks scenarios to clarify and explain, but I took the POC one step forward since then.

This issue is not Google specific.

There are some minor steps the internet can take in order to prevent this kind of attack in the future.

Until there is a solution out there, Every big company or service will have to secure their domains and assets, by spending lots of money on similar domain names.

I hope you agree — The steps to reproduce this kind of attack are pretty simple for anyone with basic linux and networking knowledge.

I didn’t do any magic tricks, and I wasn’t the first (4 years have passed, and I was just curious). Some kind of attacks are really hard to block..

I think Gmail would be even more interesting (I owe ɢoogle.email).

A successful POC was shown here,

For for more information, feel free to contact me.