A new open-source and cross-platform tool called Tirith can detect homoglyph attacks over command-line environments by analyzing URLs in typed commands and stopping their execution.
Available on GitHub and also as an npm package, the tool works by hooking into the user’s shell (zsh, bash, fish, PowerShell) and inspecting every command the user pastes for execution.
URLs in commands look identical but are different
Source: GitHub
The idea is to block deceptive attacks that rely on URLs containing symbols from different alphabets that appear identical or nearly identical to the user but are treated as different characters by the computer (homoglyph attacks).
This lets attackers create a domain names that looks the same as that of a legitimate brand but have one or more characters from a different alphabet. On the computer screen, the domain looks legitimate for the human eye, but machines interpret the anomalous character correctly and resolve the domain to the server controlled by the attacker.
While browsers have addressed the issue, terminals continue to be susceptible as they can still render Unicode, ANSI escapes, and invisible characters, says Tirith's author, Sheeki, in the description of the tool.
According to Sheeki, the Tirith can detect and block the following types of attack:
Homograph attacks (Unicode lookalike characters in domains, punycode, and mixed scripts)
Terminal injection (ANSI escapes, bidi overrides, zero-width chars)
... continue reading