When it comes to crafting deceptive digital ploys and techno traps, the phishing scammer is probably the most creative cybercriminal around. Phishers throw everything at the proverbial wall, waiting for anything that might stick.
From simple “Hey, I’m so-and-so service, click here” emails to elaborate bait-and-switch scams that aim to fool even the most careful among us, the phishing toolkit is filled with assorted lures and tackles to reel in potential victims. A savvy scammer can turn any browser vulnerability or weakness into a vector for the next massive phishing attack.
Take this newly discovered vulnerability on the major web browsers — Google Chrome, Mozilla Firefox and Opera. It’s deceptively simple but so amazingly potent, it’s “almost impossible to detect.”
Chinese security researcher Xudong Zheng recently discovered a trick that criminals can use, in theory, to display fake web addresses as secure and legitimate services to con users into giving away their login credentials or banking information.
Here’s how it works. A fraudster can bypass something called “Punycode” to mask fake addresses with foreign language characters. Punycode was originally devised as a way to allow users to register web domains with foreign characters, then transform those into readable ASCII characters.
The idea is that browsers will read the Punycode (non-ASCII) URL first, then translate it into more understandable Unicode characters. It turns out, if someone uses characters from a single foreign character set, the affected browsers will render the URL in the same readable language instead of Punycode.
In simple terms, this means someone could register a domain that appears to be “apple.com” but is actually registered as “xn--80ak6aa92e.com.”
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate,” Xudong Zheng states in his blog.
This, of course, opens a number of opportunities for a phisher to mask fake addresses by letting the browsers do their dirty trick.
As mentioned, this vulnerability affects Chrome, Firefox and Opera, but Microsoft Edge, Internet Explorer and Safari appear immune since they correctly display the right Punycode in the address bar each time.
How to protect yourself
Fortunately, Mozilla Firefox users can easily defeat this vulnerability. Just follow these steps:
- Type about: config into your browser’s address bar and press Enter.
- Type Punycode in the search bar.
- Your browser settings will show a parameter titled network.IDN_show_punycode. Double- or right-click and select Toggle to change the value from False to True.
Google Chrome users will have to wait for the Chrome 58 update. Google has decided to push the fix for this vulnerability with this update, which is scheduled for late April.
Note: A Chrome extension called Punycode Alert can also alert you each time it detects a URL has Punycode content.
In the meantime, if you’re extremely worried about these Punycode bypass scams, you can use the unaffected browsers or use a password manager that can detect these deceptive URLs.