Jump to content


Be Aware - Phishing with Unicode Domains

  • Please log in to reply
6 replies to this topic

#1 Error 403

Error 403

    Flawless Life

  • General Community Representative
  • 3129 posts
  • HomeThe oil land, or better known as Norway.

Posted 19 April 2017 - 11:44 AM

Be Aware - Phishing with Unicode Domains

Posted by Xudong Zheng, April 14, 2017





Before I explain the details of the vulnerability, you should take a look at the proof-of-concept.

Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain "xn--s7y.co" is equivalent to "短.co".


From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as "xn--pple-43d.com", which is equivalent to "аpple.com". It may not be obvious at first glance, but "аpple.com" uses the Cyrillic "а" (U+0430) rather than the ASCII "a" (U+0041). This is known as a homograph attack.


Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. Generally speaking, the Unicode form will be hidden if a domain label contains characters from multiple different languages. The "аpple.com" domain as described above will appear in its Punycode form as "xn--pple-43d.com" to limit confusion with the real "apple.com".


The homograph protection mechanism in Chrome, Firefox, and Opera unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain "аррӏе.com", registered as "xn--80ak6aa92e.com", bypasses the filter by only using Cyrillic characters. You can check this out yourself in the proof-of-concept using Chrome, Firefox, or Opera.


Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox. As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate. This Go program nicely demonstrates the difference between the two sets of characters. Internet Explorer, Safari, along with several less mainstream browsers are fortunately not vulnerable.



ScreenshotsGoogle ChromeFirefoxFirefox SSLInternet ExplorerInternet Explorer SSL.



This bug was reported to Chrome and Firefox on January 20, 2017 and was fixed in the trunk of Chrome 59 (currently in Canary) on March 24. The Chrome team has since decided to include the fix in Chrome 58, which should be available around April 25. The existence of the bug in Opera was brought to my attention only after the initial publication of this post. The problem remains unaddressed in Firefox as they remain undecided whether it is within their scope. The Bugzilla issue was initially marked "RESOLVED" and "WONTFIX", though it has since been reopened, made public, and given the "sec-low" keyword.


Our IDN threat model specifically excludes whole-script homographs, because they can't be detected programmatically and our "TLD whitelist" approach didn't scale in the face of a large number of new TLDs. If you are buying a domain in a registry which does not have proper anti-spoofing protections (like .com), it is sadly the responsibility of domain owners to check for whole-script homographs and register them.


Firefox users can limit their exposure to this bug by going to about:config and settingnetwork.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to user MARKZILLA from reddit for this temporary solution.





A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, users should manually type the URL or navigate to the site via a search engine when in doubt. I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing.




  • Mr blue sky01, Iluvtanks and Tank Ben like this


:: General Community Representative ::

 Forum Rules  EULA • Support  In-game Reports 

#2 Iluvtanks


    Supreme Commander

  • Community Contributor
  • PipPipPipPipPip
  • 1893 posts
  • HomeManitoba, Canada

Posted 19 April 2017 - 12:00 PM

Thanks for the heads up!

"Knowledge comes, but wisdom lingers. It may not be difficult to store up in the mind a vast quantity of facts within a comparatively short time, but the ability to form judgments requires the severe discipline of hard work and the tempering heat of experience and maturity." - Unknown

#3 Tank Ben

Tank Ben

    Major General

  • Moderator
  • Others: In-game Moderator
  • 495 posts
  • HomeSomewhere cold, warm, cloudy and rainy.

Posted 19 April 2017 - 01:31 PM

Good job, Error!
"Love is the most beautiful thing to have, hardest thing to earn and most painful thing to lose." - Unknown

#4 randy12345


    Supreme Commander

  • Member
  • PipPipPipPipPip
  • 8378 posts
  • HomeBorn in Leeds, England (Used to be NYC, now's Newark, New Jersey)

Posted 20 April 2017 - 06:34 AM

Oh wow

Bow down to my dank memes.

#5 rcmppolice


    Commander of the Army

  • Member
  • PipPipPipPip
  • 1413 posts
  • HomeWashington,Pullman.but now in Hong Kong

Posted 20 April 2017 - 05:14 PM

i dont get it

Let the Royal Canadian Mounted Police do the work...........

#6 Error 403

Error 403

    Flawless Life

  • General Community Representative
  • 3129 posts
  • HomeThe oil land, or better known as Norway.

Posted 20 April 2017 - 11:28 PM

i dont get it


To put it in simple terms, it has been easier to perform phishing attacks; the attempt to obtain sensitive information such as usernames, passwords, bank- and credit card details, often for malicious reasons. The most widely used method is cloning real websites and sending the fake websites to the victim(s) by E-mail. When a victim enters their sensitive information on a fake website, this information is uploaded to the phisherman's database and the victim is redirected to the real website, often to the "incorrect log-in details" screen. When the victim enters their correct sensitive information again, it will work and they may think that they entered something wrong the first time, but they will not know what really happened.
This is obvious to anyone who pays attention to the website's URL. If the URL is different than the real one, people will leave that website at once. Here is an example:


As you can see, the difference is quite obvious. However, with the technology being improved for each day that passes, new methods are being used. One of them is the use of Unicode domains (basically domains with foreign characters). It is almost impossible to detect anything strange with these domains, as you can see in the screenshot below.





This vulnerability in Google Chrome and some other webbrowsers has finally been patched. The URL of the fake website above will now show "https://www.xn--80ak6aa92e.com" rather than "https://www.apple.com/" and it is thus obvious to anyone that this is not the real website. A good rule of thumb is to never open any suspicious links you receive by anyone, no matter how convincing it may be.


:: General Community Representative ::

 Forum Rules  EULA • Support  In-game Reports 

#7 jl99



  • Member
  • Pip
  • 3 posts

Posted 21 April 2017 - 03:11 PM

Dam! Honestly until now I did not pay a lot of attention to the URL know I would never click on that "Hey".So where would we run into this?
And thank you for making me more aware this stuff.Boy would I love get me hands on one of these knuckle heads they can ruin you.Good stuff.

Edited by In98, 21 April 2017 - 03:20 PM.
Removed inappropriate language.

0 user(s) are browsing this forum

{parse template="include_lightbox_real" group="global" params=""} {parse template="inlineLogin" group="global" params=""}