NordVPN Promotion

Home / Industry

Study by WhoisXML API Explores IDNs, Native-Language Characters, and Homograph Attacks

Protect your privacy:  Get NordVPN  [73% off 2-year plans, 3 extra months]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

While the usage of internationalized domain names (IDNs) has allowed organizations the world over to enter the global market using their native-language domain names, it can also enable cyber attackers to craft look-alikes of legitimate domains they wish to spoof.

Case in point? The Nitrogen malware campaign, where threat actors exploited Punycode to create deceptive domains. They used wìnscp[.]net (Punycode translation: xn—wnscp-tsa[.]net) to lure targets into downloading a fake WinSCP installer.

To further explore such DNS security risks, the WhoisXML API research team analyzed the top-level domain (TLD) distribution, IP resolution, and WHOIS registration data of 63,105 unique fully qualified domain names (FQDNs) containing native-language characters.

Download our white paper “Early Homograph Threat Detection: A DNS Study of IDNs and Native Language Characters” to explore our complete insights that leverage comprehensive passive DNS data from our Premium DNS Database.

Methodology

The data for our study came from the Premium DNS Database file dated 6 June 2024. We specifically extracted a sample comprising 63,105 unique FQDNs containing native-language characters from more than 58 billion rows of data.

Next, we analyzed the FQDNs’ IP resolutions by querying their corresponding IP addresses on Bulk IP Geolocation Lookup. This step allowed us to obtain pertinent information about their ISP administration and geographic locations.

After that, we used Bulk WHOIS Lookup to retrieve the root domains’ WHOIS information. We then analyzed the registrars, registrant countries, and redaction status of the top 100 root domains.

Preview of Study Findings

Our study of IDNs and native-language characters in FQDNs highlights:

  • The most used TLDs in the FQDNs
  • The geolocation countries of the top 100 IP addresses resolving the FQDNs
  • The ISPs of the top 100 IP addresses
  • The hosts of the top FQDNs with native-language characters
  • The registrars of the top 100 root domains
  • How many of the top 100 root domains had privacy-protected WHOIS information
  • The existence of suspicious FQDNs and IDNs potentially impersonating legitimate entities

Take a look at an extract from our white paper showing the TLDs most commonly used in the FQDNs and suspicious.

Most Used TLDs in the FQDNs

Two internationalized TLDs were among the most commonly used based on the data in our passive DNS database. They were .xn—fiqs8s or .中国, which appeared in 16,647 FQDNs, and .xn—fiqz9s or .中國, which appeared in 16,638 FQDNs. Domains sporting these TLDs can potentially figure in campaigns impersonating financial organizations.

SAMPLE MEMBERSLIKELY IMITATED ENTITY
1stcâpital[.]xn—fiqs8s
1stcâpital[.]xn—fiqz9s
1stcépital[.]xn—fiqz9s
First Capital Bank
1stcălgary[.]xn—fiqs8s
1stcălgăry[.]xn—fiqs8s
1stcălgăry[.]xn—fiqz9s
First Calgary Financial

The rest of the top 10 were regular TLDs comprising .com (9,747 FQDNs), .org (5,823 FQDNs), .cn (3,570 FQDNs), .net (3,431 FQDNs), .app (2,342 FQDNs), .in (1,251 FQDNs), .io (833 FQDNs), and .edu (471 FQDNs).

The top 10 TLDs accounted for 96.27% of the total number of FQDNs, while the remaining domains were distributed across 104 other TLDs.

Want to check out the remaining findings of our study? Download our complete white paper “Early Homograph Threat Detection: A DNS Study of IDNs and Native-Language Characters” now.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

NordVPN Promotion