Page 2 – A Phishing Attack Using Punycode
The Punycode Phishing Attack
If all foreign characters looked so different from ASCII characters, we wouldn’t have any problems. However, that’s not the case, especially when you take into account the font choice used by some browsers. In Punycode, this:
is the equivalent of:
Notice the similarity to apple.com? This is because the Punycode is rendering the Cyrillic equivalent of “a” (U+0430) instead of ASCII’s “a” (U+0061). Chrome 57 and earlier, along with all versions of Firefox, use fonts that will make you see the domain name as “apple.com” and possibly fool you into thinking you’re at Cupertino’s website.
The same problem exists in Windows in Internet Explorer and Edge, if the computer has Cyrillic font support.
What’s Being Done to Fix It?
Security researchers reported this bug to Chrome and Mozilla (makers of Firefox) on January 20, 2017. Chrome fixed it as of version 58 on March 28, but that particular update is still rolling out to users. I actually received the new version of Chrome minutes after capturing a screenshot of the bug in action.
The bug does not occur in Safari at all. Firefox, on the other hand, will always suffer from this bug, it seems. Developers at Mozilla have said such attacks cannot be detected programmatically, and that it is the responsibility of domain owners to identify such potential threats and register those Punycode domains themselves.
There is, however, a workaround in Firefox to resolve the issue. If you visit about:config and set network.IDN_show_punycode to true, Once done, Firefox won’t transcode Punycode into Unicode.
The Moral of the Story – Use Your Password Manager
The truth found in this is that you should be much more careful about entering personal information on a website. This is true even if it’s one you think you recognize and has an apparently-valid SSH certificate. To prevent falling prey to a Punycode phishing attack, rely heavily on your password manager to protect you. Punycode phishing attacks don’t fool password managers. Hopefully, Mozilla will soon reverse its stance on the issue, but at least there’s a way to protect yourself in Firefox. You should also be sure to upgrade Google Chrome, if you use it.