Beware: Punycode Phishing Scam Can Snare even Savviest Users
If think you've fine-tuned your online security skills enough not to fall for a phishing scam, think again: software engineer Xudong Zheng has uncovered a vulnerability that could be especially difficult to spot.
Writing on his blog last week, Zheng described a special variation of what's called an "IDN [internationalized domain name] homograph attack." This kind of attack involves using letters from one language system, for example, Cyrillic, that look just like letters from another system, say, Latin, to trick people into clicking on legitimate-looking URLs that actually takes them to different, possibly malicious Web sites.
While most browsers today offer protections against IDN attacks, Zheng discovered a unique exception: when another language system can be used to replace all, and not just some, of the letters in legitimate domains, many browsers won't catch the trick. This leaves both the real URLs and the spoofed URLs looking nearly identical in the browsers' fonts.
Chrome Fix Now Rolling Out
The attack strategy works because of the system put in place to enable the registration of Web domains using foreign characters. A coding system called Punycode is applied to foreign characters to render them readable in standard ASCII text.
Zheng said a problem can arise, though, with Web addresses that look exactly like Latin-character URLs, but are actually written in homographs, which are characters in different languages that appear almost identical to Latin text. For instance, Cyrillic features many letters that look similar to the Latin alphabet, making it possible to spoof the actual domain "apple.com" (in Latin characters) with the alternative URL, "apple.com" (in Cyrillic characters).
"Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox," Zheng said in his blog post. "As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate."
Since the vulnerability was reported to Chrome and Firefox on Jan. 20, it has been fixed in the March 24 Chrome update that's now rolling out, Zheng said. However, the bug remains an issue in the Firefox, Opera and Internet Explorer browsers. The fix in Chrome ensures that a potential lookalike URL using foreign characters will be displayed in the raw Punycode.
"We have confirmed that this resolves the issue and that our 'epic.com' test domain no longer shows as 'epic.com' and displays the raw punycode instead, which is 'www.xn--e1awd7f.com', making it clear that the domain is not 'epic.com'," the software security firm Wordfence reported Tuesday.
Use Password Manager, Type URLs Manually
Users of different browsers can take other steps on their own to protect against the possibility of such IDN homograph attacks, Zheng said. Firefox users, for example, can force the browser to display the raw Punycode for sites by going to about:config and setting network.IDN_show_punycode to "true."
IBM's Security Intelligence site reported Tuesday that the raw Punycode is now displayed correctly in Internet Explorer, as well as in Brave, Edge, Safari and Vivaldi. Another protection strategy is to use a password manager, Zheng said.
"In general, users must be very careful and pay attention to the URL when entering personal information," he said. "Until this is fixed, concerned users should manually type the URL or navigate to sites via a search engine when in doubt. This is a serious vulnerability because it can even fool those who are extremely mindful of phishing."
Image credit: iStock/Artist's concept.
Posted: 2017-04-30 @ 3:33am PT
This seems dubious. DNS does not "interpret" punycode as described in this article. In fact, for this type of hack to happen, which this article does not explain, would simply require a standard phishing attack. So this is NOT a problem with a browser. A browser cannot be "fooled" into calling a malicious web site based on corrupted or misnamed punycode. The ONLY way for this type of attack to be successful in fact, is that the user IGNORE the browser warning that the address is not correct or is mismatched to certificate. (note: there are several other unrelated malicious attacks that do perform that action, but punycode is not the means or vector)...this article is probably interesting to people who do not understand technical subtleties, or those users (and websites) that continue to resist using exclusive https/tls connections only. You have been warned. Up your game!
Posted: 2017-04-23 @ 11:15pm PT
Outlook Mail Client and Gmail is vulnerable as well.
Posted: 2017-04-23 @ 6:55am PT
Wow, that really is clever.