How to protect your browser from Unicode domain phishing attacks

𝖨𝗍'𝗌 𝖾𝖺𝗌𝗒 𝗍𝗈 𝖻𝖾 𝗍𝗋𝗂𝖼𝗄𝖾𝖽 𝖻𝗒 𝖺 𝖴𝗇𝗂𝖼𝗈𝖽𝖾 𝖴𝖱𝖫.

How to protect your browser from Unicode domain  phishing attacks

Do you trust аpple.com?

Of course you do! So, do you feel okay about visiting the website at https://www.аpple.com?

The URL I’ve linked to isn’t the real Apple technology company that makes shiny iPhones, Homepods, and iMacs. Instead, it’s a Unicode domain which - rather than using the conventional ASCII characters that make up the vast majority of websites you’re likely to visit - contains foreign characters.

So the “а” of аpple.com is actually a Cyrillic “а” (U+0430) rather than the ASCII character “a” (U+0061).

What’s that? You couldn’t tell the difference? No, neither can I. And, as we’ve described before, that’s a problem that phishers and online crooks are only too happy to take advantage of in their pursuit of your passwords and other sensitive information.

You see, it’s not just “а” and “a” that can be mixed up. There are countless ways in which bad guys can take advantage of the many Unicode characters that look remarkably similar to common ASCII characters. Which means that you and I are at risk of visiting a site believing it to be legitimate, when in fact it’s designed to scam us in what is known as an IDN Homograph attack.

Browsers are beginning to get better at warning users when they visit a site with an internationalized domain name (IDN), with some now displaying the URL in the browser bar in its Punycode form. That means you might spot you’re visiting xn–pple-43d.com rather than the real apple.com

But human nature means that we will more-often-than-not fail to check the browser bar, and not notice that we’re not on the website we intended.

For that reason, I strongly recommend that you get some help.

There are a range of browser extensions and plugins that can warn you when you visit a website with an internationalized domain name. Having tried a few solutions, my preference is for a browser add-on called IDN Safe.

IDN Safe not only warns you that you are visiting a URL with an internationalized domain name, but it also *blocks* the webpage (which is far more likely to grab your attention!).

Website blocked

Of course, if you *did* want to visit that URL it would be a nuisance if you were now being blocked from reaching it. So, IDN Safe includes a whitelist feature to allow you to visit specific sites that you decide are legitimate.

IDN Safe isn’t for everyone. In particular, if you are - say - Chinese and in the habit of visiting websites that take advantage of internationalized domain names you may find it a ruddy nuisance. But, for most of us, I think it’s a sensible addition to our security toolbox - and may stop you from being phished or scammed one day.

Furthermore, Firefox users may benefit from making a change to their browser settings which will force the Punycode version of the URL to be displayed in their browser bar.

I talk more about IDN Safe in the latest edition of the “Smashing Security” podcast. You can listen via the player below, or check out the “Smashing Security” website for show notes.

Subscribe: Apple Podcasts | Overcast | Spotify | Stitcher | RSS for you nerds.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , ,

10 Responses

  1. R. Dale Barrow

    February 22, 2018 at 9:39 pm #

    It looks like Firefox 58.0.2 (64 bit) on Windows 10 shows punycodes by default. This may be recent. Yay! I did not need to “about:config” to see what was going on.

  2. Andrew King

    February 22, 2018 at 10:27 pm #

    Great post Graham! I was aware of the problem, but it is really very helpful to know such add-ins exist. I will re-share on LinkedIn.

  3. Alfonso

    February 23, 2018 at 9:35 am #

    I was sure that Firefox 58.0.2 (64bit) on Win 7 Prof. was secure. This happened to me a couple of days ago: Mozilla FF browser froze while checking a web site that had Kaspersky’s “green seal”. I couldn’t take screenshots at all. None of the usual hacks worked. I shut down the computer, started 15 minutes later and there it was»> The frozen browser. So I ended up taken pictures with my camera.
    Mozilla has not responded. Kaspersky helped me by fixing the problem. I have sent Kaspersky the 14 pictures.
    With all these problems shouldn’t we be concerned of having Mozilla FF, Kaspersky and others holding our passwords to everything? BHH are getting ahead of the game.

    Thank you Graham! Keep up the good work

  4. Alfonso

    February 23, 2018 at 9:50 am #

    Hello again Graham. Copy and paste your head title» “𝖨𝗍’𝗌 𝖾𝖺𝗌𝗒 𝗍𝗈 𝖻𝖾 𝗍𝗋𝗂𝖼𝗄𝖾𝖽 𝖻𝗒 𝖺 𝖴𝗇𝗂𝖼𝗈𝖽𝖾 𝖴𝖱𝖫”.«
    and try to change the font to any of the other most used fonts. »It stays the same« “CAMBRIA MATHWHY?
    Regards,
    Alfonso

    • Graham Cluley in reply to Alfonso.

      February 23, 2018 at 12:25 pm #

      That’s because it’s not a font thing. It’s Unicode characters. Crazy isn’t it?

  5. David

    February 23, 2018 at 12:17 pm #

    From https://www.itnews.com.au/news/unicode-flaw-in-chrome-and-firefox-aids-phishing-458533

    The vulnerability could not be reproduced in recent versions of Apple’s Safari web browser on macOS, Microsoft’s Edge, or Internet Explorer 11 in iTnews testing.

    Recent beta versions of Chrome are also not vulnerable, and Apple’s mobile Safari browser for iOS displays the domain name correctly.

  6. Andrew Udvare

    February 23, 2018 at 2:51 pm #

    Could just not have IDNs and the problem is solved. The benefits do not outweigh the security issues. Arguably an en-* locale system should warn on IDN domains at minimum.

  7. Steve Borsch

    February 24, 2018 at 3:38 pm #

    Would be interested in your thoughts on browser extensions overall. Why? Because when I read “Read and change all the data on the websites you visit.” it gives me pause…

    …especially as I stay on top of cyber security and read posts like this one:

    Rogue Chrome, Firefox Extensions Hijack Browsers; Prevent Easy Removal
    https://www.darkreading.com/attacks-breaches/rogue-chrome-firefox-extensions-hijack-browsers-prevent-easy-removal/d/d-id/1330854

    As such there are *very* few extensions in any of my browsers. Your thoughts?

    • Vytautas Buozys in reply to Steve Borsch.

      February 25, 2018 at 9:50 am #

      When google just released chrome and its store for apps. In the beginning I was excited and curious. But later I noticed that these extensions need to much my personal info. It might be that some of them are time savers, but unrelated permissions giving a big stop of using them.

  8. Soryte

    February 25, 2018 at 10:58 pm #

    Another issue are browsers on mobile devices„, I haven’t tested lately but last time I checked my iPad there was no real URL on the status bar.
    And seemingly most folks now use mobile devices to browse :o

Leave a Reply