If you’re a user of Chrome, Firefox or Opera browsers, you may fall victim to a pernicious phishing scam that’s lurking the web these days.
Common, low-class phishing attacks are more or less easily noticeable – the URLs of bogus websites that are trying to steal your sensitive data by imitating trustworthy ones tend to be if only a little bit different than their safe counterparts.
But things got worse this time.
The URLs appear to be absolutely legit. There’s virtually no sign of forgery that a naked eye can spot.
If you are not familiar with phishing attacks, read our blog post about some of the most common security threats.
You’re probably wondering how is it possible to actually create phishing websites that our browsers cannot detect as scams.
This happens because we taught our browsers to read and transcribe alphabets of many (if not all) the world’s languages.
Browsers are polyglots
The moment when IDN (Internationalized Domain Name) was invented signified a true cultural democratization of the Internet.
For the first time, you didn’t have to use Latin alphabet for a domain name, or choose Latin keyboard to type a URL in the address bar. Your website’s URL could be in Cyrillic, Chinese, Hebrew, Greek or whichever alphabet of your choosing.
However, browsers don’t really use unicode characters. The Internet is a giant multicultural library of books written in thousands of languages, but it needs a unique registrar written in the predominant and most universal alphabet. That is – Latin. In other words – you see the website’s address written in Arabic, but your browser converts it to the Latin code which it understands.
So, let’s imagine we have a Greek website with a URL of αγάπη.gr. That’s the form in which it will appear in the address bar so that you could read, understand and type it yourself (if you speak Greek, of course), but your browser understands and registers these words as xn--hxajgr8b.gr.
You can try this yourself by using Punycode converter.
These are homograph attacks
Hackers are known to take advantage of every good idea there is. So they did it with this one as well.
A homograph attack means that the malicious website’s URL looks identical with a legit one because it uses homographs, characters similar in looks but coming from different alphabets. Can your eye see the difference between C and С, A and А, O and О? All of the second ones come from Cyrillic script. The computer detects the difference. You don’t. Some of the fonts could display it. But you cannot choose a calligraphy font to search for a website.
Of course, the imitation wouldn’t be complete without an SSL (the “Secure” inscription on the left of the address bar in Chrome, or the green padlock in Firefox). So, they found a way to acquire that too!
Xudong Zheng, a Chinese researcher who got a hold of this problem and publicly disclosed it, even made a spoof Apple website for the demonstration purposes. The same was done by the guys at Wordfence.
Homograph attacks have been there since 2001. Even Paypal got an evil twin brother written in Russian Cyrillic.
How to alleviate the risk?
You can actually discover if there’s something suspicious in the URL by inspecting the SSL certificate. Here’s how to do it.
But how often do we do that? It’s not like we’ve grown a habit.
So, if you receive an email with a link that looks just fine, copy and paste it in your browser, to see how the browser interprets before hitting Enter. If it displays the now infamous xn-- prefix, you should think twice before going down that road.
Both Chrome and Firefox actually have actually deployed certain measures of precaution against homograph attacks. They are able to detect fake websites with domain names containing mixed characters from a few different scripts. But when all the characters come from a single alphabet, the browsers are helpless.
Chrome is about to release a patch that will be delivered to its users these days. So, dear Chromers, update your browser as soon as possible!
The Safari users don’t have anything to worry about, as well as Internet Explorer (apparently, the one thing that makes it better than Chrome or Mozilla) and its more modern descendant Microsoft Edge.