Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Chrome, Firefox Users Exposed to Unicode Domain Phishing

Malicious actors can create legitimate-looking phishing domains by leveraging the fact that some popular web browsers fail to properly protect their users against homograph attacks.

Malicious actors can create legitimate-looking phishing domains by leveraging the fact that some popular web browsers fail to properly protect their users against homograph attacks.

Web developer Xudong Zheng has demonstrated how an attacker could have registered the domain name “xn--80ak6aa92e.com,” which is displayed by web browsers such as Chrome, Opera and Firefox as “apple.com.”

Unicode is a standard for encoding and representing all characters and glyphs from all languages. Unicode characters can be used in Internet hostnames through Punycode. For instance, the Chinese word “短” is equivalent to “xn--s7y.”

Characters such as the Cyrillic “а” and the Latin “a” may look the same, but they are represented differently in Punycode, allowing malicious actors to create domains where Latin letters are replaced with similar-looking Greek or Cyrillic characters. This is known as an internationalized domain name (IDN) homograph attack.

Modern web browsers are designed to prevent these types of attacks – for example, “xn--pple-43d.com” will be displayed as “xn--pple-43d.com” instead of “apple.com.” However, Zheng discovered that this filter can be bypassed in Chrome, Firefox and Opera by creating the entire domain name using Cyrillic characters, leading to “xn--80ak6aa92e.com” being displayed as “apple.com.”

For a proof-of-concept (PoC), the expert registered the domain “xn--80ak6aa92e.com” and obtained a free digital certificate for it from Let’s Encrypt. When the domain is accessed via Opera, Chrome or Firefox, the user sees the domain name “apple.com” with a certificate issued for “apple.com.”

Wordfence has demonstrated the attack technique by spoofing the healthcare website “epic.com,” and experts at SANS have also provided some examples.

Zheng reported his findings to Google and Mozilla on January 20, and while the upcoming Chrome 58 will resolve the issue, Mozilla is still trying to figure out how to address the problem.

Advertisement. Scroll to continue reading.

Mozilla initially classified the vulnerability report as “WONTFIX,” but later reopened it and assigned it a low severity rating. Until the organization comes up with a fix, Firefox users can protect themselves against potential attacks by typing “about:config” in the address bar to access advanced settings, and changing the “network.IDN_show_punycode” preference to “true.”

Edge, Internet Explorer and Safari are not affected. However, it’s worth noting that researchers did report recently that cybercriminals had been targeting Office 365 business email users by exploiting a weakness in how Office 365 handles Punycode.

Related: Cybercriminals Use New Tricks in Phishing Attacks

Related: PayPal Phishing Attack Immediately Verifies Credentials

Related: McDonald’s Website Flaws Allow Phishing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.