Main Area and Open Discussion > Living Room

Beware of punycode phishing attempts

(1/4) > >>

Deozaan:
This is probably considered old news, but it's some information I just discovered and haven't found any references to punycode on DC, so I thought I'd post about it here.

Punycodew was created to help protect against phishing attacks where certain unicode characters in different languages look the same as letters from the roman alphabet but are in fact different. Punycode tries to avoid this problem by converting domains with unicode characters to what might appear to the average person to be a somewhat random mishmash of ASCII letters and numbers. However, there is a flaw in its design such that it doesn't always work, leaving you vulnerable to phishing attacks after all.

Check this article for more information: https://fraudwatchinternational.com/expert-explanations/punycode-phishing-part-1/

If you click the following link and your browser shows something that looks like "apple.com" in the address bar, then your browser is vulnerable to this attack vector.

xn--80ak6aa92e.com


Here's an example of what it looks like from a vulnerable browser:

mouser:
thanks for the heads up  :up:

Stoic Joker:
Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

That can't be good..

tomos:
Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.-Stoic Joker (June 19, 2018, 06:56 AM)
--- End quote ---

didnt think of that:
PaleMoon up-to-date showed the correct link both ways (i.e. always https://xn--80ak6aa92e.com/). No warning though.

ConstanceJill:
And this is why Firefox should have "network.IDN_show_punycode" set to true as default.

Navigation

[0] Message Index

[#] Next page