Malicious actors can create legitimate-looking phishing domains by leveraging the fact that some popular web browsers fail to properly protect their users against homograph attacks.
Web developer Xudong Zheng has demonstrated how an attacker could have registered the domain name “xn--80ak6aa92e.com,” which is displayed by web browsers such as Chrome, Opera and Firefox as “apple.com.”
Unicode is a standard for encoding and representing all characters and glyphs from all languages. Unicode characters can be used in Internet hostnames through Punycode. For instance, the Chinese word “短” is equivalent to “xn--s7y.”
Characters such as the Cyrillic “а” and the Latin “a” may look the same, but they are represented differently in Punycode, allowing malicious actors to create domains where Latin letters are replaced with similar-looking Greek or Cyrillic characters. This is known as an internationalized domain name (IDN) homograph attack.
Modern web browsers are designed to prevent these types of attacks – for example, “xn--pple-43d.com” will be displayed as “xn--pple-43d.com” instead of “apple.com.” However, Zheng discovered that this filter can be bypassed in Chrome, Firefox and Opera by creating the entire domain name using Cyrillic characters, leading to “xn--80ak6aa92e.com” being displayed as “apple.com.”
For a proof-of-concept (PoC), the expert registered the domain “xn--80ak6aa92e.com” and obtained a free digital certificate for it from Let’s Encrypt. When the domain is accessed via Opera, Chrome or Firefox, the user sees the domain name “apple.com” with a certificate issued for “apple.com.”
Wordfence has demonstrated the attack technique by spoofing the healthcare website “epic.com,” and experts at SANS have also provided some examples.
Zheng reported his findings to Google and Mozilla on January 20, and while the upcoming Chrome 58 will resolve the issue, Mozilla is still trying to figure out how to address the problem.
Mozilla initially classified the vulnerability report as “WONTFIX,” but later reopened it and assigned it a low severity rating. Until the organization comes up with a fix, Firefox users can protect themselves against potential attacks by typing “about:config” in the address bar to access advanced settings, and changing the “network.IDN_show_punycode” preference to “true.”
Edge, Internet Explorer and Safari are not affected. However, it’s worth noting that researchers did report recently that cybercriminals had been targeting Office 365 business email users by exploiting a weakness in how Office 365 handles Punycode.
Related: Cybercriminals Use New Tricks in Phishing Attacks
Related: PayPal Phishing Attack Immediately Verifies Credentials

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
Latest News
- Malicious NPM, PyPI Packages Stealing User Information
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis
- Dutch, European Hospitals ‘Hit by Pro-Russian Hackers’
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing
- Boxx Insurance Raises $14.4 Million in Series B Funding
