Phishing attacks can make even crusading technovangelists paranoid. One wrong click can put you out a ton of cash, or cause a corporate breach. And they evolve constantly. Case in point: A cunning new exploit makes malicious phishing websites appear to have the same URL as known and trusted destinations.
You know by now to check your browser while visiting a site to be sure it sports the little green padlock indicating TLS encryption. See it and you know no one can eavesdrop on any data you submit—an especially important consideration for financial and healthcare sites. But a malicious site that can impersonate a legit URL and depict that padlock leaves precious few tip-offs that you’re dealing with an imposter.
This particular vulnerability takes advantage of the fact that many domain names don’t use the Latin alphabet (think Chinese characters or Cyrillic). When English-based browsers run into those URLs, they use an encoder called Punycode to render each character from a standardized library of character codes maintained by Unicode, the standards body for text online. This exploit takes advantage of that conversion process; phishers can appear to spell out a familiar domain name using a different URL and web server. Attackers who trick people into loading the fake page could more easily convince them to answer questions or provide personal information because the site seems trustworthy.
These kinds of URL character manipulations, called homograph attacks, started years ago, and groups like the Internet Assigned Numbers Authority work with browser developers to create defenses, including Punycode itself, that make URL spoofing more difficult. But new twists on the attack still crop up. Web developer Xudong Zheng reported this exploit to Google and Mozilla in January and demonstrated it publicly on Friday, creating a fake Apple.com website that appears legitimate and secure in unpatched browsers.
Apple Safari, Microsoft Edge, and Internet Explorer protect against this attack. A Chrome fix arrives in Version 59 this week, but Firefox developer Mozilla continues weighing whether to release a patch. The organization did not return a request for comment.
Until then, you can check the validity of sites by copying and pasting the URLs into a text editor. A spoofed URL only appears familiar, and actually uses an address beginning “www.xn--” that you can see outside the browser bar. Zheng’s fake Apple site, for example, uses the address https://www.xn--80ak6aa92e.com. All Zheng need to do to get the trusted “https” status was apply for TLS encryption from an entity like Let’s Encrypt.
Firefox users also can protect themselves by changing their settings so the address bar only shows the Punycode addresses. Load the phrase “about:config” into your address bar, search for “network.IDN_show_punycode” in the attribute list that appears, right-click on the only result, and choose “Toggle” to change the preference value from “false” to “true.”
Given phishers’ love of domains like www.app1e.com, the Punycode trick seems like a powerful attack. But Aaron Higbee, chief technology officer at the phishing research and defense company PhishMe, says his company hasn’t found any instances of it appearing in the wild. The company also has not found the tools to execute it in any of the pre-fab phishing kits it examines on the dark web.
That’s not to say the exploit isn’t out there somewhere, but Higbee says phishers may not find it reliable because browser autofill mechanisms and password managers won’t autocomplete on spoofed sites. Such tools know, even if users do not, when a URL is not familiar. “There’s going to be a technical control for every phishing technique and eventually that control will be outwitted,” says Higbee. “Phishing lives in that space.”
With the attack publicized, you may see an uptick in its use and further research into even more creative versions. So until that Chrome update comes through, keep a close eye on your URLs—and anything weird on the websites they purport to show you.