Beware of punycode phishing attempts

[Deozaan]

This is probably considered old news, but it's some information I just discovered and haven't found any references to punycode on DC, so I thought I'd post about it here.

Punycode^w was created to help protect against phishing attacks where certain unicode characters in different languages look the same as letters from the roman alphabet but are in fact different. Punycode tries to avoid this problem by converting domains with unicode characters to what might appear to the average person to be a somewhat random mishmash of ASCII letters and numbers. However, there is a flaw in its design such that it doesn't always work, leaving you vulnerable to phishing attacks after all.

Check this article for more information: https://fraudwatchin...ode-phishing-part-1/

If you click the following link and your browser shows something that looks like "apple.com" in the address bar, then your browser is vulnerable to this attack vector.

xn--80ak6aa92e.com


Here's an example of what it looks like from a vulnerable browser:

[mouser]

thanks for the heads up 

[Stoic Joker]

Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

That can't be good..

[tomos]

Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

-Stoic Joker (June 19, 2018, 06:56 AM)

didnt think of that:
PaleMoon up-to-date showed the correct link both ways (i.e. always https://xn--80ak6aa92e.com/). No warning though.

[ConstanceJill]

And this is why Firefox should have "network.IDN_show_punycode" set to true as default.

[KodeZwerg]

Opera, latest Version, no Unicode Display of Domain-Names, so no problem with Opera.

[wraith808]

Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

That can't be good..

-Stoic Joker (June 19, 2018, 06:56 AM)

The browser that he's using to show the vulnerability appears to be Firefox.

[Deozaan]

Interesting... IE caught it and through a warning when I clicked the link. But when I copied the link to paste it into FireFox it came off the Windows clipboard as apple.com.

-Stoic Joker (June 19, 2018, 06:56 AM)

The browser that he's using to show the vulnerability appears to be Firefox.

-wraith808 (June 19, 2018, 08:36 AM)

The screenshot I took was from Tor browser, which is indeed based on Firefox.

[wraith808]

Oh!  I didn't know that was your screenshot 

[Stoic Joker]

Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

[4wd]

Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

-Stoic Joker (June 19, 2018, 09:20 PM)

That might be Notepad, pasting into Notepad++ shows http://xn--80ak6aa92e.com/ (unless I've misunderstood something).

Ah, I see what you mean now, copying out of Edge it shows as apple.com, I was copying out of Vivaldi which gave the correct link.

FWIW:
Vivaldi - OK
K-Meleon (Goanna engine) - OK
Iridium - OK
SlimJet - OK
Puffin - OK
Edge - OK
Firefox 52 ESR - Fail
Basilisk - Fail
Chromium - Fail

Last 3 aren't the absolute latest version.

[wraith808]

Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

-Stoic Joker (June 19, 2018, 09:20 PM)

Strange.  Mine worked - it just pasted the url direct.  Do you have something else in the background that might be the cause of it?

[4wd]

Strange.  Mine worked - it just pasted the url direct.  Do you have something else in the background that might be the cause of it?

-wraith808 (June 19, 2018, 10:22 PM)

Just seems to be when copying it out of Edge, (and maybe IE)  ... seems more like Edge is 'converting' it before it hits the clipboard since it copies out of other browsers OK.

[Stoic Joker]

Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

-Stoic Joker (June 19, 2018, 09:20 PM)

Strange.  Mine worked - it just pasted the url direct.  Do you have something else in the background that might be the cause of it?

-wraith808 (June 19, 2018, 10:22 PM)

I'm not really a fan of addons, so there shouldn't be.

I tried it starting with this page loaded in different browsers:

IE got the link hover name correct and threw a Punny error on navigation to xn--80ak6aa92e.com, but botched the paste (аррӏе.com)

FF got the link hover name wrong, navigated to "Apple.com", but got the paste right (xn--80ak6aa92e.com).

Edge got hover link right, navigated to xn--80ak6aa92e.com, but got paste wrong (аррӏе.com).

SlimJet got hover link wrong, navigated to "apple.com", and got paste wrong (аррӏе.com).

[wraith808]

I don't have firefox installed, but I opened this page in Edge, navigated to it (fine), copied the text from this page, and pasted it into Chrome, and it was fine....

I just got what you meant.  You right-clicked on it, and it pasted wrong.  Is that right?  I was selecting and copying it, and it was right.

[Stoic Joker]

I don't have firefox installed, but I opened this page in Edge, navigated to it (fine), copied the text from this page, and pasted it into Chrome, and it was fine....

I just got what you meant.  You right-clicked on it, and it pasted wrong.  Is that right?  I was selecting and copying it, and it was right.

-wraith808 (June 20, 2018, 11:49 PM)

Correct, I'm using the context menu's copy link/copy shortcut options for the test, not the select and copy method.

[hollowlife1987]

Correct, I'm using the context menu's copy link/copy shortcut options for the test, not the select and copy method.

-Stoic Joker (June 21, 2018, 06:48 AM)

Interesting that Edge and IE will convert it when copying it that way.

Actually the point I was driving at is the Windows shell itself fell for the exploit when I put the link on the Windows Clipboard and pasted it into the FireFox address bar. FF never got a chance to pass/fail, it was just being used for an edit field.

Case in point, copy the link to the clipboard and paste it into Notepad … It comes off the clipboard as apple.com

-Stoic Joker (June 19, 2018, 09:20 PM)

I really don't believe this is the case as other browsers fail (pass) when copying the link that way.  Also since copying from URL bar doesn't do it also its more of just the "copy link" feature in Edge and IE.  I tested in chrome as 3rd party browser and it doesn't convert it before it goes to clipboard.

[KodeZwerg]

Simple Unicode, by using Clipboard it correctly convert text to  Unicode "0430 0440 0440 04CF 0435", my guess russian (kyrilic?) symbols are used that fake the text to "apple"

[KodeZwerg]

Cyrillic (<- sorry if misspelled) Unicode to PunyCode Example app.Beware of punycode phishing attempts

edit
Why is my attachment now a .zip? Ive uploaded a smaller .7z !