Unicode domain name for phishing attacks

From a security perspective, the Unicode field may be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. You can register a domain such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. At first glance it may not be obvious, but “аpple.com” uses Cyrillic (U + 0430) instead of ASCII “a” (U + 0041). This is called homologous attack.

Fortunately, modern browsers often have a mechanism to limit IDN isomorphic attacks. The page IDN in Google Chrome highlights the conditions for displaying IDNs in their native Unicode format. In Chrome and Firefox, if the domain tag contains characters from many different languages, the Unicode form will be hidden. The “аpple.com” field described above will appear as “xn--pple-43d.com” in its “Punycode” form to limit confusion with “apple.com”.

Unfortunately, when each character is replaced with a similar character in a single foreign language, Chrome (and Firefox) isomorphic protection mechanism is actually a failure. The domain “аррӏе.com” registered as “xn--80ak6aa92e.com” can only use Cyrillic characters to bypass the filter. You can use Chrome or Firefox to self-test in POC. In many cases, the fonts in Chrome and Firefox make the two domains visually indistinguishable. In the case of not checking the URL or SSL certificate of the website, it is not possible to identify the site as fraudulent. This program is a good way to show the difference between the two groups of characters, Internet Explorer and Safari are lucky not vulnerable to attack.

Affected Browser

Google Chrome < v.58
Firefox

In fact there is a simple way to limit the damage to this problem – that is, always use the password manager. In general, the user must be very careful and pay attention to the URL when entering personal information. I hope that Firefox will consider the solution to this problem, because even those who pay great attention to phishing will cause serious confusion.