If think you’ve fine-tuned your online security skills enough not to fall for a phishing scam, think again: software engineer Xudong Zheng has uncovered a vulnerability that could be especially difficult to spot.
Writing on his blog last week, Zheng described a special variation of what’s called an “IDN [internationalized domain name] homograph attack.” This kind of attack involves using letters from one language system, for example, Cyrillic, that look just like letters from another system, say, Latin, to trick people into clicking on legitimate-looking URLs that actually takes them to different, possibly malicious Web sites.
While most browsers today offer protections against IDN attacks, Zheng discovered a unique exception: when another language system can be used to replace all, and not just some, of the letters in legitimate domains, many browsers won’t catch the trick. This leaves both the real URLs and the spoofed URLs looking nearly identical in the browsers’ fonts.
Chrome Fix Now Rolling Out
The attack strategy works because of the system put in place to enable the registration of Web domains using foreign characters. A coding system called Punycode is applied to foreign characters to render them readable in standard ASCII text.
Zheng said a problem can arise, though, with Web addresses that look exactly like Latin-character URLs, but are actually written in homographs, which are characters in different languages that appear almost identical to Latin text. For instance, Cyrillic features many letters that look similar to the Latin alphabet, making it possible to spoof the actual domain “apple.com” (in Latin characters) with the alternative URL, “apple.com” (in Cyrillic characters).
“Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox,” Zheng said in his blog post. “As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s…