A new variation of one of older forms of phishing attacks has surfaced recently, and many of the most popular browsers like Firefox, Opera, and even Chrome have been discovered to be vulnerable to it. The way this works is by hackers creating fake domains and passing them as websites of some of the biggest companies, including Google, Apple, Ebay, and many others corporate giants.
The new variation of what was once known as homograph attack was discovered by Xudong Zheng, a Chinese researcher. The original homograph attack was discovered back in 2001 by Alex Gontmakher and Evgeniy Gabrilovich, two Israeli researchers.
Several years ago, it was decided by ICANN that non-ASCII characters should be allowed in website domains. The problem that influenced this decision was that some of the Unicode characters looked the same when written in both, Latin and Cyrillic, for example, the letter “a”. When written in Latin, “a” was U+0041, but in Cyrillic, “a” was U+0430. The system would have figured out the difference, but the users wouldn’t and that would leave us all opened for phishing attacks.
As a solution, Punycode was brought into use. Punycode was prepared to handle the situation, and its way of operating was a representation of Unicode text through the use of ASCII characters. That way, the Chinese “短“ was now being written as “xn—s7y.”
Browsers were then configured to read Punycode’s URL’s and show them as Unicode’s characters to the user. Of course, it was soon realized that hackers could use this too, and find a loophole so that their attacks might work in this environment as well. If some of them decided to register a domain as xn-pple-43d.com, the user would see apple.com, and the only difference from the real apple domain would be that the fake one had Cyrillic “a” at the beginning.
Another solution was suggested and many browsers decided to go with it, and this was the filter that only allowed domains that are written in a single language, meaning that everything with a combination of Latin and Cyrillic letters would be considered a phishing website.
Now, Zheng figured out another way that hackers could potentially exploit the situation. Since many Unicode character families contain the same letters as Latin, a hacker could use another language’s characters that look the same as the ones in Latin and create a fake domain. It would all be considered the same language, and it would bypass the filter, but it would still lead to a phishing website.
Zheng decided to demonstrate this by creating a demo page, and its code is 80ak6aa92e.com. The browser would translate this into apple.com, but this is written entirely in Cyrillic characters (a=a, p=r etc.), which would probably trick every user.
Many browsers were tested in order to see what would be displayed, and only three recognizes apple.com (Chrome, Opera, and Firefox) while the others displayed the Punycode URL (Internet Explorer, Edge, Vivaldi, Safari, and Brave).
Zheng reported this to Google and Mozilla, and Google has already fixed this in Chrome Canary 59, while a permanent fix will be delivered in Chrome Stable 58 sometime this month. On the other hand, Mozilla is still working on their fix.