Researchers are warning about a phishing attack that abuses the way some browsers handle unicode characters to display attack domains that are identical to legitimate ones.
The concept behind the attack is quite old, but it has resurfaced in the current versions of both Firefox and Chrome. The attack relies on the fact that the affected browsers will display unicode characters used in domain names as normal characters, making them virtually impossible to separate from legitimate domains.
“From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as ‘xn--pple-43d.com’, which is equivalent to ‘аpple.com’. It may not be obvious at first glance, but ‘аpple.com’ uses the Cyrillic ‘а’ (U+0430) rather than the ASCII ‘a’ (U+0041). This is known as a homograph attack,” researcher Xudong Zheng wrote in a post on the attack.
Most browsers have some protections in place to defend against this kind of attack, but they don’t prevent every version of it. If the attack domain only replaces the ASCII characters with characters from one foreign language, rather than multiple languages, the protections in Chrome and Firefox will fail. Researchers at Wordfence have demonstrated the issue by creating exact copies of legitimate domains, some with valid SSL certificates.
“The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data,” Mark Maunder of Wordfence wrote.
“We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.”
The danger of this kind of attack is real, as it would be almost impossible for a non-technical user to detect. Google has added a fix for this problem in an upcoming release of Chrome, but for right now it works against the current version of the browser. Mozilla has opened a Bugzilla discussion on it, and Maunder said there is a manual fix for it in Firefox that users can implement, as well. By searching for the word punycode using the about:config feature in Firefox, users can then set the network.IDN_show_punycode parameter to “true”, which prevents the domain trick from working.
Image: Derek Havey, CC By license.