Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 4 MINUTES AGO.
You are here: Home / Network Security / Punycode Scam Hard To Detect
Beware: Punycode Phishing Scam Can Snare even Savviest Users
Beware: Punycode Phishing Scam Can Snare even Savviest Users
By Shirley Siluk / Enterprise Security Today Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
21
2017
If think you've fine-tuned your online security skills enough not to fall for a phishing scam, think again: software engineer Xudong Zheng has uncovered a vulnerability that could be especially difficult to spot.

Writing on his blog last week, Zheng described a special variation of what's called an "IDN [internationalized domain name] homograph attack." This kind of attack involves using letters from one language system, for example, Cyrillic, that look just like letters from another system, say, Latin, to trick people into clicking on legitimate-looking URLs that actually takes them to different, possibly malicious Web sites.

While most browsers today offer protections against IDN attacks, Zheng discovered a unique exception: when another language system can be used to replace all, and not just some, of the letters in legitimate domains, many browsers won't catch the trick. This leaves both the real URLs and the spoofed URLs looking nearly identical in the browsers' fonts.

Chrome Fix Now Rolling Out

The attack strategy works because of the system put in place to enable the registration of Web domains using foreign characters. A coding system called Punycode is applied to foreign characters to render them readable in standard ASCII text.

Zheng said a problem can arise, though, with Web addresses that look exactly like Latin-character URLs, but are actually written in homographs, which are characters in different languages that appear almost identical to Latin text. For instance, Cyrillic features many letters that look similar to the Latin alphabet, making it possible to spoof the actual domain "apple.com" (in Latin characters) with the alternative URL, "apple.com" (in Cyrillic characters).

"Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox," Zheng said in his blog post. "As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate."

Since the vulnerability was reported to Chrome and Firefox on Jan. 20, it has been fixed in the March 24 Chrome update that's now rolling out, Zheng said. However, the bug remains an issue in the Firefox, Opera and Internet Explorer browsers. The fix in Chrome ensures that a potential lookalike URL using foreign characters will be displayed in the raw Punycode.

"We have confirmed that this resolves the issue and that our 'epic.com' test domain no longer shows as 'epic.com' and displays the raw punycode instead, which is 'www.xn--e1awd7f.com', making it clear that the domain is not 'epic.com'," the software security firm Wordfence reported Tuesday.

Use Password Manager, Type URLs Manually

Users of different browsers can take other steps on their own to protect against the possibility of such IDN homograph attacks, Zheng said. Firefox users, for example, can force the browser to display the raw Punycode for sites by going to about:config and setting network.IDN_show_punycode to "true."

IBM's Security Intelligence site reported Tuesday that the raw Punycode is now displayed correctly in Internet Explorer, as well as in Brave, Edge, Safari and Vivaldi. Another protection strategy is to use a password manager, Zheng said.

"In general, users must be very careful and pay attention to the URL when entering personal information," he said. "Until this is fixed, concerned users should manually type the URL or navigate to sites via a search engine when in doubt. This is a serious vulnerability because it can even fool those who are extremely mindful of phishing."

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

tdm:
Posted: 2017-04-30 @ 3:33am PT
This seems dubious. DNS does not "interpret" punycode as described in this article. In fact, for this type of hack to happen, which this article does not explain, would simply require a standard phishing attack. So this is NOT a problem with a browser. A browser cannot be "fooled" into calling a malicious web site based on corrupted or misnamed punycode. The ONLY way for this type of attack to be successful in fact, is that the user IGNORE the browser warning that the address is not correct or is mismatched to certificate. (note: there are several other unrelated malicious attacks that do perform that action, but punycode is not the means or vector)...this article is probably interesting to people who do not understand technical subtleties, or those users (and websites) that continue to resist using exclusive https/tls connections only. You have been warned. Up your game!

Jaime Tan:
Posted: 2017-04-23 @ 11:15pm PT
Outlook Mail Client and Gmail is vulnerable as well.

Joe Cogan:
Posted: 2017-04-23 @ 6:55am PT
Wow, that really is clever.

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY

NETWORK SECURITY SPOTLIGHT
A computer programmer who created malware used to hack the Democratic National Committee during the 2016 U.S. presidential race has become a cooperating witness in the FBI's investigation.

ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.