topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 11:56 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Beware of punycode phishing attempts  (Read 6995 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Beware of punycode phishing attempts
« on: June 18, 2018, 05:10 PM »
This is probably considered old news, but it's some information I just discovered and haven't found any references to punycode on DC, so I thought I'd post about it here.

Punycodew was created to help protect against phishing attacks where certain unicode characters in different languages look the same as letters from the roman alphabet but are in fact different. Punycode tries to avoid this problem by converting domains with unicode characters to what might appear to the average person to be a somewhat random mishmash of ASCII letters and numbers. However, there is a flaw in its design such that it doesn't always work, leaving you vulnerable to phishing attacks after all.

Check this article for more information: https://fraudwatchin...ode-phishing-part-1/

If you click the following link and your browser shows something that looks like "apple.com" in the address bar, then your browser is vulnerable to this attack vector.

xn--80ak6aa92e.com


Here's an example of what it looks like from a vulnerable browser:

IDN Homograph Example.png

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #1 on: June 18, 2018, 05:12 PM »
thanks for the heads up  :up:

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #2 on: June 19, 2018, 06:56 AM »
Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

That can't be good..

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #3 on: June 19, 2018, 07:01 AM »
Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

didnt think of that:
PaleMoon up-to-date showed the correct link both ways (i.e. always https://xn--80ak6aa92e.com/). No warning though.
Tom

ConstanceJill

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 205
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #4 on: June 19, 2018, 07:15 AM »
And this is why Firefox should have "network.IDN_show_punycode" set to true as default.

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 718
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #5 on: June 19, 2018, 07:34 AM »
Opera, latest Version, no Unicode Display of Domain-Names, so no problem with Opera.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #6 on: June 19, 2018, 08:36 AM »
Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

That can't be good..

The browser that he's using to show the vulnerability appears to be Firefox.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #7 on: June 19, 2018, 11:13 AM »
Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

The browser that he's using to show the vulnerability appears to be Firefox.

The screenshot I took was from Tor browser, which is indeed based on Firefox.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #8 on: June 19, 2018, 11:42 AM »
Oh!  I didn't know that was your screenshot  ;D

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #9 on: June 19, 2018, 09:20 PM »
Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #10 on: June 19, 2018, 10:11 PM »
Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

That might be Notepad, pasting into Notepad++ shows http://xn--80ak6aa92e.com/ (unless I've misunderstood something).

Ah, I see what you mean now, copying out of Edge it shows as apple.com, I was copying out of Vivaldi which gave the correct link.

FWIW:
Vivaldi - OK
K-Meleon (Goanna engine) - OK
Iridium - OK
SlimJet - OK
Puffin - OK
Edge - OK
Firefox 52 ESR - Fail
Basilisk - Fail
Chromium - Fail

Last 3 aren't the absolute latest version.
« Last Edit: June 19, 2018, 10:27 PM by 4wd »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #11 on: June 19, 2018, 10:22 PM »
Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com


Strange.  Mine worked - it just pasted the url direct.  Do you have something else in the background that might be the cause of it?

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #12 on: June 19, 2018, 10:25 PM »
Strange.  Mine worked - it just pasted the url direct.  Do you have something else in the background that might be the cause of it?

Just seems to be when copying it out of Edge, (and maybe IE)  ... seems more like Edge is 'converting' it before it hits the clipboard since it copies out of other browsers OK.
« Last Edit: June 19, 2018, 10:41 PM by 4wd »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #13 on: June 20, 2018, 09:49 AM »
Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com


Strange.  Mine worked - it just pasted the url direct.  Do you have something else in the background that might be the cause of it?


I'm not really a fan of addons, so there shouldn't be.

I tried it starting with this page loaded in different browsers:

IE got the link hover name correct and threw a Punny error on navigation to xn--80ak6aa92e.com, but botched the paste (аррӏе.com)

FF got the link hover name wrong, navigated to "Apple.com", but got the paste right (xn--80ak6aa92e.com).

Edge got hover link right, navigated to xn--80ak6aa92e.com, but got paste wrong (аррӏе.com).

SlimJet got hover link wrong, navigated to "apple.com", and got paste wrong (аррӏе.com).

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #14 on: June 20, 2018, 11:49 PM »
I don't have firefox installed, but I opened this page in Edge, navigated to it (fine), copied the text from this page, and pasted it into Chrome, and it was fine....

I just got what you meant.  You right-clicked on it, and it pasted wrong.  Is that right?  I was selecting and copying it, and it was right.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #15 on: June 21, 2018, 06:48 AM »
I don't have firefox installed, but I opened this page in Edge, navigated to it (fine), copied the text from this page, and pasted it into Chrome, and it was fine....

I just got what you meant.  You right-clicked on it, and it pasted wrong.  Is that right?  I was selecting and copying it, and it was right.

Correct, I'm using the context menu's copy link/copy shortcut options for the test, not the select and copy method.

hollowlife1987

  • Honorary Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 92
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #16 on: June 21, 2018, 07:14 AM »
Correct, I'm using the context menu's copy link/copy shortcut options for the test, not the select and copy method.

Interesting that Edge and IE will convert it when copying it that way.

Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

I really don't believe this is the case as other browsers fail (pass) when copying the link that way.  Also since copying from URL bar doesn't do it also its more of just the "copy link" feature in Edge and IE.  I tested in chrome as 3rd party browser and it doesn't convert it before it goes to clipboard.


KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 718
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #17 on: June 21, 2018, 07:23 AM »
Simple Unicode, by using Clipboard it correctly convert text to  Unicode "0430 0440 0440 04CF 0435", my guess russian (kyrilic?) symbols are used that fake the text to "apple"

KodeZwerg

  • Honorary Member
  • Joined in 2018
  • **
  • Posts: 718
    • View Profile
    • Donate to Member
Re: Beware of punycode phishing attempts
« Reply #18 on: June 21, 2018, 10:51 AM »
Cyrillic (<- sorry if misspelled) Unicode to PunyCode Example app.Screenshot - 21_06 002.jpgBeware of punycode phishing attempts

edit
Why is my attachment now a .zip? Ive uploaded a smaller .7z !