Zero-day vulnerability in SaaS services exploited to launch IDN Homograph-like attacks

  • The purpose behind this is to launch phishing attacks against organizations.
  • The impacted SaaS services include Google, Amazon, and DigitalOcean.

Cybercriminals are exploiting a zero-day vulnerability in Verisign and several SaaS services to register malicious generic top-level domains and subdomains that look the same as legitimate sites. The impacted SaaS services include Google, Amazon, and DigitalOcean. The purpose behind this is to launch phishing attacks against organizations.

What does the report say?


Demonstrated by Matt Hamilton, a principal security researcher at Soluble, the vulnerability is similar to an IDN Homograph attack and presents all the same risks. 

He highlights that an attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization. 

Attackers started abusing this flaw in 2017


Hamilton believes the vulnerability has been abused for the past three years. Between 2017 and 2019, the researcher found more than a dozen homograph domains that have active HTTPS certificates. This includes prominent financial, internet shopping, technology, and other Fortune 100 sites. 

Upon identifying current and historical abuse of these homoglyphs, the issue was reclassified as a zero-day.

Verisign fixes the issue


Verisign, the authoritative registry for the .com, .net, .edu, and several other generic top-level domains (gTLDs) has fixed the flaw and now restricts the registration of domains using these homoglyph characters. In addition, it has changed domain name registration rules by updating the table of allowed characters in newly registered domains.

Soluble in partnership with Bishop Fox has also reported the vulnerability to the vendors of SaaS services. A patch for the vulnerability is yet to be released by the vendors.