Researchers Warn of Phishing Sites Using Unicode and Homograph URLs
Attackers using foreign languages like Cyrillic or Latin can make phishing sites appear to be in English. This has been a used method for years. Researchers are also warning that attackers have made use of Punycode to register convincing phishing sites using international characters.
Punycode translates Unicode domains into ASCII. The differences can be so minor that it would be almost impossible sometimes for a human eye to catch them.
— Paul Moore (@Paul_Reviews) June 27, 2015
The Unicode domain method puts both companies and browsers like Firefox and Chrome in a tight spot for combating it. Companies looking to prevent fraudulent domains would have to reserve domain names proactively and point visitors to the legitimate site (such as the Lloyds example above).
Researchers at Wordfence also authored a post warning about this attack method, showing how easy it was to create a phishing domain using epic.com. “Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com,” Wordfence researcher Mark Maunder wrote.
For browsers to fix this issue, it can be a bit complicated, as exemplified by the ongoing discussion over at Firefox. Both Firefox and Chrome have been found to be susceptible to Unicode URLs.
Not looking closely, a user could visit the site believing it to be the authentic apple.com. Paired with a legitimate SSL certificate purchased from an authority like Let’s Encrypt, the green lock and deceptive URL can make for one convincing phishing page.
Security researcher Xudong Zheng says there are a few ways to “limit the damage” of attacks like these. In a blog post he explains how the method works, and that a manual tweak in the Firefox browser and the use of a password manager can make it hard to get tripped up by convincing phishing sites.
Automated security phishing tools can also help, such as Cisco Umbrella’s NLPRank model that uses machine learning data models to decipher when a URL or site is being deceptive.Tags: