If you click on a link to Forbes.com you expect to be taken to the Forbes website. But fraudsters that want to steal your passwords or credit cards info have an incredibly sneaky way of showing you a link that looks like a site you trust but sends you to a very convincing phishing site instead.
A website address that starts with xn-- tells your browser that the domain name is encoded using Punycode, which allows characters like ü or ñ to be displayed. It’s important that browsers be able to do that, because a very large percentage of Internet users don’t speak English (or it’s not their first language).
It also lets cybercriminals execute what’s called a homograph attack. All it takes to trick your browser is a jumble of letters, symbols and numbers. For example, if an attacker wanted to spoof the Forbes domain, they might register the domain name xn--0xa0vo267doa5di.com.
Chrome and Firefox will display that mess of characters as forbes.com. A scammer could even apply for — and would likely be granted — an SSL certificate for the Punycode name. That means you’d not only see forbes.com in the address bar if you clicked this kind of phishing link but you’d also see the green lock icon that tells you a site is secure. Security provider Wordfence offered the following example in a recent blog post discussing these attacks:
To be clear, Forbes isn’t the kind of site that scammers would generally spoof using a homograph attack. They’re much more interested in getting victims to cough up credentials for Paypal, Facebook and email accounts, or credit card numbers.
This clever phishing technique isn’t new. Homograph attacks have been around for more than a decade. It’s proven to be a difficult technique to thwart because of the legitimate uses of Punycode in domain names. Fortunately, both Chrome and Firefox users may soon be protected.
Google has already introduced a change in Chrome Canary, an experimental version of its browser. Changes in Canary that make the cut are usually pushed to all Chrome users within a few months. When this one rolls out, Chrome users will be protected automatically.
Firefox users can actually enable protection right now. It’s done by entering the about:config in the address bar and agreeing to the warning Firefox displays. A search box will then appear. Enter punycode in the box and a line that reads network.IDN_show_punycode will appear. By default, it is set to false. Double-clicking the words will change it to true, which will cause Firefox to display the xn-- characters instead of the deceptive, encoded ones.