Table of Contents
The Homograph Phishing Attack is Back and It’s Impossible to Detect
News has come in of a Chinese info researcher who has reportedly re-discovered the vulnerability of web browsers to a certain phishing scam that can catch even the most careful users off the guard. The researcher has confirmed that the vulnerability is absolutely impossible to track in most versions of Firefox, Opera, and Chrome browsers. More gravely, it is also quite impossible to trace the trick on the mobile versions of these browsers.
Legitimate looking domains could be fake
The major gaffe caused by the homograph fishing attack is to fake absolutely bogus domain names and make them resemble the exact replicas of services like Apple, Google or Amazon. Most users will not be able to tell the reason why a legitimate domain displays an uncanny error message. In the process, they might end up furnishing sensitive credentials of login and financial accounts.
This could be particularly offensive if the attack is meant to steal sensitive data or asks users to reaffirm their login credentials before moving any further.
Look at these Sample Fake Website
You could say it is almost impossible to beat the website apple.com and yet not be at Apple’s website. However, this is exactly what the researcher has negated in this demo page here. You could experience a slight downtime too as many people are looking up the page right now (including some at Apple, hopefully).
The Fake Apple Website
Real Apple Website
The discoverer of the attack Xudong Pengm has written a detailed blog on the same. He says:
“For regular users, it is nearly impossible to say that the site is fraudulent (or at least unauthentic) without looking up the URL of the site or its SSL certificate very carefully.”
In case your browser field is displaying the words “apple.com” and is instead showing the error message instead of the original website, it is a sure case of your web browser being vulnerable to the mischievous homograph attack.
In another website sample research website, Wordfence has successfully mocked the domain name “epic.com” through the use of a complex system of nomenclature while buying the domain.
The attack is quite old in itself
The first accounts of homograph attack age back to 2001. However, most browsers have had a hard time trying to fix the attack by themselves. It is a totally spoof attack where researchers/hackers replace the words of the English alphabet with Unicode characters.
Irrespective of how careful you are of such attacks, it is almost impossible to detect the flaw.
Domains are bought using Unicode characters
There are many Unicode characters that represent letters of different languages including Cyrillic, Greek, Armenian in domains that are internationalized for more convenience. On casual glance, these letters look exactly identical to Latin letters. However, they are treated differently by some browsers, showing totally different names in the browser field.
Punycode Attacks
Many modern web browsers make use of “Punycode.” It is a special type of encoding by web browsers that helps to convert Unicode characters to the limited character sets that represent ASCII. This is the accepted set of variations supported by the International Domain Names or IDNs mechanism.
Zheng states that in case someone chooses all the characters from the same foreign language while registering the domain, the loophole of browsers will convert it to the targeted domain name instead of rendering the Punycode format.
xn--80ak6aa92e.com is Equals to Apple.com when converted by browsers
Using the same loophole in the browsers, Zheng registered a domain as xn--80ak6aa92e.com. In most browsers, it swiftly bypasses the protection and appears as apple.com. This includes Chrome, Firefox, and Opera. However, quite interestingly, Internet Explorer, Apple Safari, Vivaldi, Microsoft Edge, and Brave have not shown vulnerability to this kind of attack.
It is noteworthy that the xn-- prefix refers ASCII compatibility coding prefix. This tells web browsers that there is Punycode encoding in the domain.
Instead of the ASCII “a” which is (U+0041), Zheng uses the Cyrillic “a” (U+0430). In this case, this one simple replacement bypasses browser protection.
Zheng has been in touch with the associated browsers and has informed Google and Mozilla in the month of January.
They are Trying Fixes
At the moment, Mozilla is trying different methods to generate a fix. But Google has already been successful in patching this vulnerability in its experimental version of Chrome Canary (59). They have promised that a permanent fix will be rolled out with the Stable 58 version of Google Chrome. The Stable 58 is due for launch later this year.
In the meantime, there are millions of users who are (unknowingly) using Punycode in their browsers. It is highly recommended that they disable Punycode support in their browsers for a while to be able to defend this almost untraceable attack.
Warding off phishing attacks
To use temporary mitigation manually, Firefox users can use this simple method:
- Hit about:config in the address field of the browser
- Search with Punycode
- Locate the title network.IDN_show_punycode and right click; use Toggle and change the setting to True from False. (See image below)
To the dismay of several users, there is no similar available setting that would work for Chrome or Opera and disable the Punycode manually. Chrome users have to be patient and wait for the Stable 58 version of chrome that comes out in a few weeks.
For the moment, there are some browser add-ons that can be used to alert non-techy users every time a domain name contains Unicode characters.
Use Good Password Managers
One good way to bypass such phishing attacks is to make use of a really good password manager. They will store all your login credentials and automatically identify the actual and authentic URLs to which they are linked.
So, the first sign of warning would be the password manager not prompting you to a stored password in the login field.
Fix for non-technical Chrome Users
There is another easy way to get ahead of the game for anyone who finds it difficult to play with settings or install add-ons. Here are the steps:
- Always copy the URL and never click on (open tab in new browser)
- Paste the URL in the address bar and do not hit enter
- The actual URL will appear in its Unicode format
Also, it is always safer to start with copying addresses manually rather than just clicking through them.
English 
Français 
Español 
Deutsch 
Nederlands 
Română 
phishing attack is very outdated nowadays!
I cant thank you enough for sharing this insightful post! 😊
This was such a well-written and informative article – thank you!
Thanks for sharing such valuable information with us in your post.
Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on , [email protected], and you can also text, call him, whatsappn on +1(201)4305865, or +1(773)6092741…
Hire a hacker to spy cell phone with a certified job may seem like a good idea, But is not easy as you mint think. Hacking into someone’s cell phone without them knowing is very difficult and require ethical service, mostly if you want to get into the user cellphone device to gain access to sensitive information and change settings, Then get a professional hacker will help you out contact [email protected]. if you looking a way to know how to spy on a cell phone without touch the target devices., he able to get it done. Thanks kelvin.
dude i need your help
Have you ever wondered if your spouse is cheating on you? As my spouse has always been a big time cheat, we have been married for 15 years now and i always suspect him but i wasn’t sure yet so i came in contact with this hacker Fred who i emailed to hack into his phone and he brought me results in 6hours time and i had access to my husband phone i always seeing his text messages, call logs, whats-app, emails, Facebook, deleted text messages and many more without touching my husband phone or him knowing about the hack then i got to see that he has a child outside without telling me i was in pains but thank God for this great hacker for his wonderful help…i must recommend this hacker as a very best professional you can contact him via gmail :fredv[email protected] and you can text,call him on +15177981808
MY wife is a very smart woman but i showed her that in every thing a man is always a man well i suspected she was hiding a lot from me, she has a mac-book pro she uses and also a Samsung phone i noticed she was cheating on me so i had to hack her phone but i found out that nothing was on her phone so i also hacked into her mac-book. i could not believe all that i saw on her laptop she has all her major text messages on her mac-book, she uses whats-app on her laptop also i found out that she was in a relationship with my friend who i call my brother i had full access to her mac-book and also read all there messages and so many they always hang out at a hotel on Sundays.. All I saw was too much for me to keep to myself. and also a very big thank you to the hacker that made it possible to be an ethical hacker. contact him on [email protected] and you can text,call him on +15177981808
The truly scary thing about undiscovered lies is that they have a greater capacity to diminish us than exposed ones. When people cheat in any arena, they diminish themselves-they threaten their own self-esteem and their relationships with others by undermining the trust they have in their ability to succeed and in their ability to be true. Cheating is the most disrespectful thing one human being can do to another. If you aren’t happy in a relationship, end it before starting another one. respect a person who is loyal in a relationship, by cheating on him or her. If you succeed in cheating on someone, don’t think that the person is a fool, realize that the person trusted you much more than you deserve. If you notice any suspicious act on your partner if he or she is cheating. You need to write MR FRED to help you remotely spoof on the target phone to retrieve text messages, call logs, social media activities, bank information and many more. They deliver the best services and get you the peace of mind you deserve. Email: [email protected] and you can text,call him on +15177981808 Best wishes…
I’m excited to write about [email protected] he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact on: gmail and you can text or whatsapp him on +1 (602) 562‑6646