Skip to Content
Security & privacy

Watch out! This stealthy phishing scam fools even the most cautious web users

When it comes to crafting deceptive digital ploys and techno traps, the phishing scammer is probably the most creative cybercriminal around. Phishers throw everything at the proverbial wall, waiting for anything that might stick.

From simple “hey, I’m so-and-so service, click here” emails to elaborate bait-and-switch scams that aim to fool even the most careful among us, the phishing toolkit is filled with assorted lures and tackles to reel potential victims in. A savvy scammer can turn any sort of browser vulnerability or weakness into the next vector for the next massive phishing attack.

Take this newly discovered vulnerability on the major web browsers – Google Chrome, Mozilla Firefox and Opera – it’s deceptively simple but it’s so amazingly potent that it is “almost impossible to detect.”

Chinese security researcher Xudong Zheng recently discovered a trick that criminals can theoretically use to display fake web addresses as secure and legitimate services to con users into giving away their login credentials or banking information.


Here’s how it works. A fraudster can bypass something called “Punycode” to mask fake addresses with foreign language characters. Punycode was originally devised as a way allow users to register web domains with foreign characters then transform into regular, readable (ASCII) characters.

The idea is that browsers will read the Punycode (non-ASCII) URL first then translate it into more understandable Unicode characters. It turns out, if someone uses characters from a single foreign character set, the affected browsers will render the URL in the same readable language instead of Punycode.

In simple terms, this means someone could register a domain that appears to be “” but is actually registered as “”

“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” Xudong Zheng states in his blog.

This, of course, opens a number of other opportunities for a phisher to mask fake addresses by letting the browsers do their dirty trick.

As mentioned earlier, this vulnerability affects Chrome, Firefox and Opera but Microsoft Edge, Internet Explorer and Safari appear to be immune to it since they correctly display the right Punycode in the address bar each time.

How to protect yourself

Fortunately, Mozilla Firefox users can easily defeat this vulnerability. Just follow these steps:

  1. Type about: config in the address bar and press enter.
  2. Type Punycode in the search bar.
  3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to True.

Google Chrome users will have to wait for the Chrome 58 update. Google has decided to push the fix for this vulnerability with this update scheduled for late April.

Note: A Chrome extension called Punycode Alert can also alert you each time it detects a URL has Punycode content.

In the meantime, if you’re extremely worried about these Punycode bypass scams, you can use the unaffected browsers.

Another way to shield yourself is by using a password manager that can detect these deceptive URLs.

More must-read stories:

New “Brickerbot” malware attacks insecure Wi-Fi networks and smart home gadgets

Watch out for these sham ads spreading on Facebook

iPhone thief steals over 100 phones – You won’t believe how he was caught

Stop robocalls for good with Kim’s new eBook

Robocalls interrupt us constantly and scam Americans out of millions of dollars every year. Learn Kim's best tricks for stopping annoying robocalls in this handy guide.

Get the eBook