Attackers can evade a security mechanism and abuse Unicode domains to phish for the login credentials of Chrome, Firefox, and Opera users.
Security researcher Xudong Zheng has developed a proof-of-concept that exploits an issue in some web browsers. Attackers can abuse this sleight of hand to redirect users to phishing websites. All they need to do is use Punycode, which relies on ASCII characters to convey foreign characters.
The Punycode domain “xn--pple-43d.com” is equivalent to “apple.com”, for example. As long as a web browser translates the Punycode into what’s known as Unicode (in this case, “apple.com”), attackers can trick users into entering their login credentials on what they think is Apple’s legitimate site.
Web browsers have seen these attacks target their users in the past.
Google chrome update now restricts how these domain names that use non-Latin characters are displayed in the browser. This change is in response to a recently disclosed technique that could allow attackers to create highly credible phishing websites.
While this is great for global internet usability, the use of internationalized domain names does raise security problems because some alphabets contain characters that look very similar to Latin letters and this can be abused to spoof URLs.