Security experts are warning people about a nearly undetectable phishing scam that tricks even the most cyber secure users into trusting malicious sites.
The scheme is similar to the common method of registering domain names that are superficially similar to existing sites. So, say, an ‘r’ and an ‘n’ turns microsoft.com into rnicrosoft.com, or an uppercase ‘i’ turns PayPal.com into PayPaI.com, but this version is much more sophisticated.
It was first uncovered by web developer Xudong Zheng, and here’s how it works: instead of using similar-looking letters or letter combinations, the domains are registered with non-Latin characters that are facsimiles of Latin letters. For example, the Cyrillic ‘а’ looks identical to the Latin ‘a’.
The domains are then registered in Punycode, which converts the domain label to an alternative format using only Unicode characters. Continuing the example, the Unicode U+0430 (Cyrillic ‘а’) is used instead of U+0041 (Latin ‘a’), and when the domain is displayed in certain browsers, it appears as the characters that the code represents.
Zheng initially reported that Chrome, Firefox and Opera were affected by this, but they have now all released updates that, when installed, resolve the issue.
Both Zheng and WordFence have set up safe example sites to show how this works. Zheng’s apple.com is, in fact, https://www.xn--80ak6aa92e.com, and WordFence’s epic.com is, rather, https://www.xn--e1awd7f.com.
New version of an old trick
Despite the sudden furore over this trick, it is not, strictly speaking, new. In fact, it dates back to 2001, when researchers Evgeniy Gabrilovich and Alex Gontmakher demonstrated the potential for Unicode to spoof websites by registering a variant of the domain name microsoft.com that used, in part, Cyrillic characters.
In 2005, the organisation in charge of overseeing the domain name system, US-based ICANN, put out a warning regarding this practice, which it termed “homograph attacks”. However, nothing was done to fix the issue, so it continued to reappear until recently, when modern browsers attempted to limit the potential for these attacks.
Both Firefox and Chrome protected against domains that use letters from multiple writing systems, like Cyrillic and Latin, but Zheng exposed the fact that they didn’t protect against domains that use characters entirely from a specific language.
Zheng advises that, until the update has been installed, “concerned users should manually type the URL or navigate to sites via a search engine when in doubt. This is a serious vulnerability because it can even fool those who are extremely mindful of phishing.”
Mitigate the threat of phishing attacks
As this example shows, the methods that cyber criminals use can be incredibly creative and cunning, and it takes the same kind of creativity from those on the right side of the law to spot and respond to potential methods of attack.
Whether or not there are any malicious websites out there that use this trick (the only reported instances are the proof-of-concept sites created by Zheng and WordFence), the browsers’ updates will unmask them.
As creative as this attack was, however, the way it works is still fundamentally the same as most other kinds of phishing. It sends people to a bogus site and tries to get them to hand over information or unload malware on them. Being able to spot what’s going on is, as always, the only real way for individuals and employees to protect themselves and their business.
To mitigate the risk in your organisation, you should enrol your staff on IT Governance’s Phishing Staff Awareness Course. It uses real-life examples of phishing attacks and provides practical tips to help employees become an active part of their company’s cyber security strategy.