Chinese researcher warned Xudong Zheng that the browsers Chrome, Firefox and Opera are vulnerable to virtually undetectable phishing attacks. With the help of attacks hackers can register fake domains that are virtually indistinguishable from the real resources of Apple, Google, eBay, Amazon and many other companies and services. The technique described by the researcher have its origins in the 2001 as method of homograph attacks.
ICANN decided to allow non-ASCII characters (Unicode) in domain names a few years ago. The specialists of the ICANN understand what it is a fraud with risk, because many Unicode symbols look almost identical: a good example can serve as Cyrillic a (U+0430) and Latin a (U+0041). For this reason, Punycode was adopted for use instead real Unicode. As a result the Chinese domain 短.co needs to be transformed into the browser address bar in xn--s7y.co, in order not to introduce confusion and not to create unnecessary problems.
Zheng writes that the browser producers had to transform by default the Punycode URL in Unicode-symbols inside the browser, but all quickly became clear that Punycode can be used to disguise phishing sites. It helps phishing sites more easier to impersonate legitimate resources. For example, if the attacker will register the domain xn-pple-43d.com it will be analogue apple.com, but only the letter "a" will be here Cyrillic. This is the homograph attack. Browser producers contrasted to such fraud special filters that can convert address to Unicode, only if the Punycode URL contains characters of only one language (that is, the address contains only Chinese characters, Cyrillic characters and so on).
But the researcher found that modern browsers can be overcome. He invites everyone to visit page (https://www.аррӏе.com/) and make sure with your own eyes. The domain that looks in the browser as legitimate resource apple.com actually is the domain xn-80ak6aa92e.com. The fact that the word "apple" are written in Cyrillic characters. In such cases, the phishing filters of the browser do not work. To detect spoofing is possible only by studying detailed information on the certificate page, which will display the real domain name.
Chrome, Firefox, and Opera (including Opera version of Neon) are vulnerable to such attacks. At the same time, Edge, Internet Explorer, Safari, Vivaldi and Brave display the Punycode URL thus protecting the users.
Zheng reports that he contacted with Google and Mozilla on January 20, 2017. Google engineers have already fixed the problem in Chrome Canary 59, and full patch will appear as part of Chrome Stable 58, the release of which is expected on 25 April 2017. The Mozilla developers had not time to prepare fixing and recommend users to disable support for Punycode: type in the address bar of Firefox about:config and then ask for the option network.IDN_show_punycode setting true.
ICANN decided to allow non-ASCII characters (Unicode) in domain names a few years ago. The specialists of the ICANN understand what it is a fraud with risk, because many Unicode symbols look almost identical: a good example can serve as Cyrillic a (U+0430) and Latin a (U+0041). For this reason, Punycode was adopted for use instead real Unicode. As a result the Chinese domain 短.co needs to be transformed into the browser address bar in xn--s7y.co, in order not to introduce confusion and not to create unnecessary problems.
Zheng writes that the browser producers had to transform by default the Punycode URL in Unicode-symbols inside the browser, but all quickly became clear that Punycode can be used to disguise phishing sites. It helps phishing sites more easier to impersonate legitimate resources. For example, if the attacker will register the domain xn-pple-43d.com it will be analogue apple.com, but only the letter "a" will be here Cyrillic. This is the homograph attack. Browser producers contrasted to such fraud special filters that can convert address to Unicode, only if the Punycode URL contains characters of only one language (that is, the address contains only Chinese characters, Cyrillic characters and so on).
But the researcher found that modern browsers can be overcome. He invites everyone to visit page (https://www.аррӏе.com/) and make sure with your own eyes. The domain that looks in the browser as legitimate resource apple.com actually is the domain xn-80ak6aa92e.com. The fact that the word "apple" are written in Cyrillic characters. In such cases, the phishing filters of the browser do not work. To detect spoofing is possible only by studying detailed information on the certificate page, which will display the real domain name.
Chrome, Firefox, and Opera (including Opera version of Neon) are vulnerable to such attacks. At the same time, Edge, Internet Explorer, Safari, Vivaldi and Brave display the Punycode URL thus protecting the users.
Zheng reports that he contacted with Google and Mozilla on January 20, 2017. Google engineers have already fixed the problem in Chrome Canary 59, and full patch will appear as part of Chrome Stable 58, the release of which is expected on 25 April 2017. The Mozilla developers had not time to prepare fixing and recommend users to disable support for Punycode: type in the address bar of Firefox about:config and then ask for the option network.IDN_show_punycode setting true.