Phishing is one of the oldest and common techniques used to steal user details maliciously.
The most common attack vector used for Phishing is email, but email providers have improved their filters tremendously, and now most of those phishing emails never reach your main Inbox.
A few stray email that does land in your inbox can wreck havoc, more so thanks to the ever-evolving technology.
In this article, I will be discussing one such Phishing technique that is almost impossible to detect.
And when I say almost impossible, I do mean it, unless you’re skilled enough to dissect SSL certificates.
Am I Vulnerable to this Attack?
Yes. If you use the following browsers:
1. Google Chrome.
2. Mozilla Firefox.
How Does This Phishing Attack Work?
Let me show you a demo first.
Real Website : Epic.com
Phishing Website : xn--e1awd7f.com
Check the address bar on both the sites. It looks exactly the same, but the contents of both are very different.
This attack exploits a vulnerability in the above-mentioned browsers wherein they use a particular encoding known as “Punycode” to convert Unicode characters to a limited ASCII character set.
In simple terms, the alphabet “e” is represented as “U+0065” in Unicode and the Cyrillic character “IE” is represented as “U+0435” in Unicode.
Although both of those are different, they look the same.
Phishers can register domain names with the prefix “xn--“, which tells the browser that rest of the domain name is in ASCII code.
For example, the domain name “xn--e1awd7f.com” renders as “epic.com” in vulnerable browsers.
How to Fix This Issue?
Chrome & Opera
Chrome has released a patch for this vulnerability in the “Chrome 59” version (which is an advance beta release).
Opera has not yet issued an update.
Opera reached out to us and informed about the security patch they issued for the vulnerability. In their latest stable build, version 44.0.2510.1449 they have fixed the issue.
Firefox users can manually disable Punycode URL conversions, just follow these steps.
Step 1. Open a new Tab, type “about:config” and press Enter.
Step 2. Click on the “I accept the risk” button.
Step 3. In the search bar, type in “Punycode”.
Step 4. Double click the result “network.IDN_show_punycode” to change its boolean value from “false” to “true”.
Now, whenever you visit a website exploiting the vulnerability as mentioned earlier, you’ll see the actual domain name (xn--e1awd7f.com in this case) in the address bar.
Every day, new vulnerabilities are discovered and patched. Software manufacturers release these patches in the form of Software updates. So, make sure you keep all your applications updated to prevent such attacks.
Share this article on Facebook or Tweet about it so your friends can protect themselves.