Google Moving Quickly To Fix Chrome Browser Punycode Phishing Exploit
If you're using Google's Chrome browser as your primary vehicle to surf the web, you may want to think about temporarily parking it and puttering around in something else. That's because the most recent version of Chrome is vulnerable to a devious phishing attack, one that is capable of spoofing a legitimate website in the address bar so that you could be tricked into forking over your login credentials and other sensitive data.
This particular variant uses unicode to register domains that look exactly the same as real domains. However, these fake domains can be used for malicious purposes, such as getting a user to sign into a banking site or some other portal where login credentials and other data might be exposed.
As a proof of concept, Wordfence created its own example in which it purchased the domain xn--e1awd7f.com and imitated a healthcare website called epic.com, complete with an SLL certificate. When visiting the fake website, it appears as epic.com in the address bar and is labeled as "Secure" with the lock icon. There is nothing in the address bar to alert a user at a glance that it's different from the real epic.com website.
This is made possible by using the xn-- prefix, also known as an ASCII compatible encoding prefix. This tells a browser that a website is using punycode encoding to represent Unicode characters. This makes it possible to register domains with foreign characters. When using the right ones, it's possible to spoof a domain. For example, registering the domain xn--pple-43d.com would show up as apple.com, as Xudon Zheng describes in a blog post.
This bit of punycode trickery the current versions of Chrome (57.0.2987) and Firefox (52.0.2), though there is a manual fix you can apply to the latter:
No matter what browser you use, as always, avoid clicking on hyperlinks in emails. Instead, type the destination address directly into your browser.
This particular variant uses unicode to register domains that look exactly the same as real domains. However, these fake domains can be used for malicious purposes, such as getting a user to sign into a banking site or some other portal where login credentials and other data might be exposed.
As a proof of concept, Wordfence created its own example in which it purchased the domain xn--e1awd7f.com and imitated a healthcare website called epic.com, complete with an SLL certificate. When visiting the fake website, it appears as epic.com in the address bar and is labeled as "Secure" with the lock icon. There is nothing in the address bar to alert a user at a glance that it's different from the real epic.com website.
This is made possible by using the xn-- prefix, also known as an ASCII compatible encoding prefix. This tells a browser that a website is using punycode encoding to represent Unicode characters. This makes it possible to register domains with foreign characters. When using the right ones, it's possible to spoof a domain. For example, registering the domain xn--pple-43d.com would show up as apple.com, as Xudon Zheng describes in a blog post.
This bit of punycode trickery the current versions of Chrome (57.0.2987) and Firefox (52.0.2), though there is a manual fix you can apply to the latter:
- Type about:config in the address bar.
- Search for punycode.
- Look for the parameter network.IDN_show_punycode and change the value from false to true.
No matter what browser you use, as always, avoid clicking on hyperlinks in emails. Instead, type the destination address directly into your browser.
