Punycode Phishing Attack almost impossible to detect

A Chinese security researcher has discovered a new phishing attack that is almost impossible to detect and can fool even the most alert internet users.

The hacker reports that he can use a known vulnerability in the probrowsing , Firefox και Opera για να εμφανίσει πλαστά domains νόμιμων υπηρεσιών, όπως η Apple, η Google, ή το Amazon. Έτσι μπορεί να κλέψει εύκολα τα διαπιστευτήρια και άλλες ευαίσθητες each user.

What did we know to date to protect against phishing attacks?

In general, we had to check the address bar when the and whether the connection is secure with HTTPS.

Of course, we also looked for other small details whether there are spelling mistakes, or imperfections in the design of the page. Phishing

Η demo site (note: currently experiencing downtime due to high traffic), set up by Chinese security researcher Xudong Zheng, who discovered the attack seems to be genuine.

“Είναι αδύνατο να προσδιορίσετε την σελίδα σαν χωρίς να δείτε προσεκτικά το URL ή το SSL πιστοποιητικό του ιστότοπου”, δήλωσε ο Xudong Zheng.Punycode Phishing Attack

Αν και ο web browser σας εμφανίζει “apple.com” στη γραμμή διευθύνσεων με ασφαλή σύνδεση SSL, το περιεχόμενο της σελίδας προέρχεται από έναν άλλο διακομιστή (όπως φαίνεται στην παραπάνω ).

There is also another website (PoC) created by Wordfence security experts to prove the vulnerability of browsers.

The "homography" attack has been known since 2001, but the browsers didn't seem to fix the problem. It's a type of spoofing attack where a web page address looks legitimate, but isn't because a character or characters have been replaced with Unicode characters.

Many Unicode characters, which are alphabets, (Greek, Cyrillic, and Armenian) are used in the internationalized domains. Characters look the same as Latin, but are treated differently from computers as they completely change the web address.

For example, the Cyrillic Letter 'a' (U + 0430) and Latin 'a' (U + 0041) look the same but are treated differently from the browsers.

However, what appears in the url is the Cyrillic "a" which of course leads the browser to another address.

So the only "obvious" way to know if the page is fake is from the Certificate.

By default, many web browsers use "Punycode" encoding to display Unicode characters in the URL and to protect against such homogenous phishing attacks. Punycode is a special encoding used by the web browser to convert Unicode characters to ASCII (AZ, 0-9) characters supported by the Domain Names (IDNs) system.

Zheng reported vulnerability to the affected developers of browsers.

While the Mozilla Foundation is still looking for a solution, Google is reported to have already repaired the vulnerability in the Chrome Canary 59 experimental version. We expect a permanent solution with the release of Chrome Stable 58, which will be released later this month.

For you using Firefox, follow these steps to temporarily fix the problem:

Type about: config in the address bar and press enter. Promise to be good guys παιδιά
Type Punycode into the line s.
The of the browser will display the parameter titled: network.IDN_show_punycode

Double-click or right-click and select Change to change the value from false to true.

Unfortunately, there is no similar setting in Chrome or Opera.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).