This is one of those instances where the Microsoft and Apple browser beat out the competition – because this problem is mainly affecting Google Chrome, Mozilla Firefox and Opera browsers.
Hackers have found a way of registering domains using unicode characters, which look like they are other websites… ie, they can not fake a domain you might have a login to, and the faked address can be nearly impossible to spot.
How do you normally spot a faked website? You put your mouse over the link, or look at the page that loads when the link is clicked – right? (we hope you don’t click too many of these links though).
Well that security check can fail you – as the hackers have found a way of registering domains with domains that *LOOK* like they are legitimate, even though they are not.
Security researcher Xudong Zheng from China, who discovered the attack said:
“It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.” Xudong Zheng said in a blog post.
The attack is called a ‘homograph attack’ – which has been known since 2001. The problem is that browser manufacturers have struggled to fix the problem properly.
Here is another proof-of-concept site created by security team at Wordfence which demonstrates this browsers’ vulnerability. It is a unicode domain spoof of the “epic.com” domain.
The problems stems from there being many unicode charactrers which look like latin characters, for example, there are Greek, Cyrillic and Armenian alphabet characters which look exactly like the latin characters used in English. Those characters can be used to register a domain. So even though the Cyrillic character “а” (U+0430) and the Latin character “a” (U+0041) both look alike to the naked eye – they are different characters, and the ‘look-a-like’ Cyrillic character when used in a domain will look like a regular lower-case ‘a’ – it’s a totally different letter and possibly, domain name,
Most browsers use ‘Punycode’ to represent the unicode characters, and because that feature is turned ON by default, you can get tricked by a domain using these special, but different characters.
Zheng reported these problems to the big browser makers back in January – and Google is going to be rolling out a fix in time. Other vendors we’re unsure about.
There is a fix that you can employ though. For example – in Firefox – follow these steps to turn the showing of Unicode characters as their latin equivalents – that’s by changing the Punycode setting.
Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:
- Type about:config in address bar and press enter.
- Type Punycode in the configuration search bar.
- Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.
Unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions at this time, so Chrome users have to wait for next few weeks to get a patched Stable 58 release from Google.
Here are the steps you take in Firefox in screenshot form:
How to change your punycode setting in Firefox – Step 1
Step 2: Type Punycode
Change setting from ‘Default: false’ to ‘User-Set: true’
One of the ways you can protect yourself no matter which browser you use, is to use a good Password Manager software. One of the ones with either native, or add-on browser plugins. That way, when the password manager does not show your password, even if the URL in the address bar looks ‘right’ – that will serve as a clue that this might not be the correct website.
We are hopeful that endpoint protection systems will add unicode domain warnings quickly – so make sure that you are using a solid antimalware / antivirus with a web protection module!