Security News Phishing Attack almost impossible to detect in Chrome, Firefox and Opera

[Parsh]

A Chinese infosec researcher has discovered a new "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet.
He warned, Hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.

“It becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate” Xudong Zheng says.

If your web browser is displaying "apple.com" in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the 'Homograph attack'.

Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.

Punycode Phishing Attacks
By default, many web browsers use ‘Punycode’ encoding to represent Unicode characters in the URL to defend against such phishing attacks. Punycode is a special encoding used by the web browser to convert Unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.
For example, the Chinese domain "短.co" is represented in Punycode as "xn--s7y.co".

According to Zheng, the vulnerability relies on the fact that web browsers render only Punycode URLs in one language as Unicode (like only Chinese or only Japanese), but they fail if a domain name contains characters from multiple languages.

The quoted loophole based on Punycode in browsers allowed the researcher to register a domain name xn--80ak6aa92e.com which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.

While Mozilla is currently still discussing a fix, Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58, set to be launched later this month.

Meanwhile, millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack.
While Chrome users have to wait for the said release, Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:

1. Type about:config in address bar and press enter.
2. Type Punycode in the search bar.
3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

 

[brod56]

I have disabled Punnycode just for peace of mind.

 

[Andytay70]

Hmm searched for it in about:config and its not there?
Firefox 52.2

 

[Parsh]

Hmm searched for it in about:config and its not there?
Firefox 52.2

Search for 'Punycode' instead of 'Punnycode' and you should get it.

 

[Sunshine-boy]

I have disabled Punnycode just for peace of mind.

how? plz learn me

 

[brod56]

how? plz learn me

If you are in Firefox, toogle network.IDN_show_punycode in about:config.
If you are in Chrome/Opera, you just have to wait for a fix

 

[Sunshine-boy]

If you are in Firefox, toogle network.IDN_show_punycode in about:config.
If you are in Chrome/Opera, you just have to wait for a fix

thnx I'm using chrome

 

[giants8058]

Good to hear that Google is finally addressing this after so many years. In the meantime if you are worried the url isn't legit, you can check the site's certificate in developer tools like the article suggested.

 

[jamescv7]

Experience users are aware that SSL/HTTPS does not guarantee safety of the website but rather to verify the overall information only. As we all know the criteria to gather the certificate is full of loopholes

I think browsers should integrate an accessible of site information so that the users are aware on the possible forge sites.

 

[frogboy]

In Cyberfox network.IDN_show_punycodeis was set to false so I changed it to true just in case.

 

[Myriad]

@Parsh

Good post ! .... thanks for the " heads-up "

In Cyberfox network.IDN_show_punycodeis was set to false so I changed it to true just in case.

Ha !
You got me there , for a few seconds

Has anyone tried the " Privacy Settings " extension in FF recently ?
I haven't used it for some time , but it was very good for zooming-in on all privacy related FF options .

A whole lot easier than trawling through about:config

 

[ForgottenSeer 19494]

In Edge I don't think it can be disabled someway, but the real URL letters of paypal.com is white, while if the vulnerability is used they are not highlighted (as are the subdomains usually). That's the way you can guess it.

 

[frogboy]

@Parsh

Good post ! .... thanks for the " heads-up "



Ha !
You got me there , for a few seconds

Has anyone tried the " Privacy Settings " extension in FF recently ?
I haven't used it for some time , but it was very good for zooming-in on all privacy related FF options .

A whole lot easier than trawling through about:config

I have used Privacy Settings but having a new look at it now. Thanks for the reminder.

 

[Deleted member 178]

This vector won't affect me, why do you think i used Netcraft since ages

 

[Duotone]

This vector won't affect me, why do you think i used Netcraft since ages

Chrome extension right?! Is that why your not using HMP.A anymore?!

 

[Deleted member 178]

Chrome extension right?! Is that why your not using HMP.A anymore?!

Yes, Chrome extension and not the reason i removed HMPA. I just dont need HMPA on this machine (which is already more than secure) , i moved it to another one.

 

[Parsh]

In Edge I don't think it can be disabled someway, but the real URL letters of paypal.com is white, while if the vulnerability is used they are not highlighted (as are the subdomains usually). That's the way you can guess it.

Everyone can have a look at here that explains the same issue with some different details.
There are screenshots showing how Chrome (, FF, Opera) and Edge (and other browsers) display the webpage URL. Edge seems to show the actual (the fake) domain name making it easy to detect the attack!

In Cyberfox network.IDN_show_punycodeis was set to false so I changed it to true just in case.

Yes that's the case, looks confusing at first though

This vector won't affect me, why do you think i used Netcraft since ages

Woah, can you explain how exactly does it help? Is it the site rating you're talking about?

 

[Deleted member 178]

Woah, can you explain how exactly does it help? Is it the site rating you're talking about?

Netcraft is an extension especially designed o protect from XSS and phishing attacks. it show lot of infos fof the site you visit , so you won't get fooled.

 

[Andytay70]

Search for 'Punycode' instead of 'Punnycode' and you should get it.

Thankyou, Found it!

 

[ForgottenSeer 19494]

I reported it yesterday and it seems to be fixed now (or maybe they've temporary blocked Edge from showing native language addresses?) in Microsoft Edge. It worked with no different settings than yesterday, otherwise I would've told you the workaround.

Spoiler: Screenshots