Homograph attacks, which involve substituting Unicode with regular ASCII letters to fake a domain name, have been around since the early 2000s. Modern web browsers are built to detect homograph attacks, but software engineer Xudong Zheng figured out a way to beat the filters.
The problem is a serious one, but thankfully is only a problem in Google Chrome, Firefox, and Opera. Want to know if you're vulnerable? Head over to Zheng's blog and check out his proof of concept link to a fake Apple domain.
What you would see if you were protected would be the real domain name: https://www.xn—80ak6aa92e.com. Because it's named with Unicode substitutions for a, p, l, and e it displays as a completely legitimate domain name—it's even secured with HTTPS.
Zheng discovered that when a domain is named with a set of Unicode letters from a single language (typically Russian) it bypasses the filters in Chrome, Firefox, and Opera.
Why homograph attacks work
If you're reading this you speak the native language of the internet: English. Since its inception internet domain names have used the English alphabet, which is a problem for those who don't speak or use a computer in English.
See: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)
Enter Punycode, a method of representing Unicode characters using ASCII letters. The domain xn—80ak6aa92e is Punycode for Apple, for example, all without needing to type the U+XXXX format of Unicode letters.
The most common way to fool a web browser is to replace English letters with homographs from a different alphabet. Russian Cyrillic is the most commonly used because there are several Unicode letters that are identical to their english counterparts. Check out the Go app that Zheng created to illustrate the concept: Just hit Run at the top and look at the output below the code.
All a cybercriminal needs to do is register the Punycode homograph domain, replicate the look of Apple's website, and wait for an unsuspecting user to click on a link in an email that looks completely legitimate.
Protecting yourself and your network
Windows users should be encouraged to use Internet Explorer with one caveat: Be sure Russian and other Cyrillic alphabet languages are turned off in active system languages.
Google released a hotfix to Chrome yesterday that fixes the issue—check your browser to see what the current version is. If it isn't 58.0.3029.81 update it right away.
See: There's a new Gmail phishing attack going around, and it's fooling everyone (TechRepublic)
Firefox users need to do a bit of manual work to protect themselves, but it is possible by following these steps:
- In the URL bar type about:config.
- Search for punycode on the page that opens.
- You should find a field called network.IDN_show_punycode.
- Change network.IDN_show_punycode from false to true.
Opera users are, unfortunately, out of luck: There's currently no known fix.
Hacking and phishing attempts are getting more sophisticated all the time, and it's safe to assume that if someone with good intentions reveals a flaw, someone with malicious intent has probably figured it out as well.
The three big takeaways for TechRepublic readers:
- The homograph phishing attack uses identical Unicode letters from different languages to trick users into thinking a fake domain is the real one.
- The problem was believed fixed, but a software engineer just revealed it's still possible to do with Unicode letters from a single alphabet—only when mixing alphabets do browser detection methods notice.
- The bug affects Chrome, Firefox, and Opera. There is currently no fix for Opera, Google has released a Chrome patch that fixes it, and Firefox users need to manually enable Punycode display.
- Infographic: How to identify and avoid phishing attacks (TechRepublic)
- Phishing: Would you fall for one of these scam emails? (ZDNET)
- How one man's phishing scam cost two major US tech companies $100M (TechRepublic)
- Phishing-as-a-service is making it easier than ever for hackers to steal your data (ZDNET)
- The phishing email that hacked the account of John Podesta (CBS News)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.