When it comes to crafting deceptive digital ploys and techno traps, the phishing scammer is probably the most creative cybercriminal around. Phishers throw everything at the proverbial wall, waiting for anything that might stick.
From simple “hey, I’m so-and-so service, click here” emails to elaborate bait-and-switch scams that aim to fool even the most careful among us, the phishing toolkit is filled with assorted lures and tackles to reel potential victims in. A savvy scammer can turn any sort of browser vulnerability or weakness into the next vector for the next massive phishing attack.
Take this newly discovered vulnerability on the major web browsers – Google Chrome, Mozilla Firefox and Opera – it’s deceptively simple but it’s so amazingly potent that it is “almost impossible to detect.”
Chinese security researcher Xudong Zheng recently discovered a trick that criminals can theoretically use to display fake web addresses as secure and legitimate services to con users into giving away their login credentials or banking information.
Here’s how it works. A fraudster can bypass something called “Punycode” to mask fake addresses with foreign language characters. Punycode was originally devised as a way allow users to register web domains with foreign characters then transform into regular, readable (ASCII) characters.
The idea is that browsers will read the Punycode (non-ASCII) URL first then translate it into more understandable Unicode characters. It turns out, if someone uses characters from a single foreign character set, the affected browsers will render the URL in the same readable language instead of Punycode.
In simple terms, this means someone could register a domain that appears to be “apple.com” but is actually registered as “xn--80ak6aa92e.com.”
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” Xudong Zheng states in his blog.
This, of course, opens a number of other opportunities for a phisher to mask fake addresses by letting the browsers do their dirty trick.
As mentioned earlier, this vulnerability affects Chrome, Firefox and Opera but Microsoft Edge, Internet Explorer and Safari appear to be immune to it since they correctly display the right Punycode in the address bar each time.
How to protect yourself
Fortunately, Mozilla Firefox users can easily defeat this vulnerability. Just follow these steps:
- Type about: config in the address bar and press enter.
- Type Punycode in the search bar.
- Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to True.
Google Chrome users will have to wait for the Chrome 58 update. Google has decided to push the fix for this vulnerability with this update scheduled for late April.
Note: A Chrome extension called Punycode Alert can also alert you each time it detects a URL has Punycode content.
In the meantime, if you’re extremely worried about these Punycode bypass scams, you can use the unaffected browsers.
Another way to shield yourself is by using a password manager that can detect these deceptive URLs.