Hacks and Glitches Portal
  • Home
  • Forums
  • Request Tool
  • Terms of Use
  • Privacy Policy
  • ABOUT US
  • Contact Us
No Result
View All Result
  • Home
  • News
  • Reviews
  • Tips & Tricks
  • Life Hack
  • Games
  • Photography
  • Security
SUBSCRIBE
  • Home
  • News
  • Reviews
  • Tips & Tricks
  • Life Hack
  • Games
  • Photography
  • Security
No Result
View All Result
Hacks and Glitches Portal
No Result
View All Result

This Phishing Attack is Almost Impossible to Detect but we Added a Fix

kalixto by kalixto
02/09
in Malware, News, Security
Reading Time: 7 mins read
A A
11
Home Malware
875
SHARES
2.7k
VIEWS
Share on FacebookShare on Twitter

Table of Contents

  • The Homograph Phishing Attack is Back and It’s Impossible to Detect
    • Legitimate looking domains could be fake
    • Look at these Sample Fake Website
    • The Fake Apple Website
    • Real Apple Website
    • The attack is quite old in itself
    • Domains are bought using Unicode characters
    • Punycode Attacks
    • xn--80ak6aa92e.com is Equals to Apple.com when converted by browsers
    • They are Trying Fixes
    • Warding off phishing attacks
    • Use Good Password Managers
    • Fix for non-technical Chrome Users

The Homograph Phishing Attack is Back and It’s Impossible to Detect

News has come in of a Chinese info researcher who has reportedly re-discovered the vulnerability of web browsers to a certain phishing scam that can catch even the most careful users off the guard. The researcher has confirmed that the vulnerability is absolutely impossible to track in most versions of Firefox, Opera, and Chrome browsers. More gravely, it is also quite impossible to trace the trick on the mobile versions of these browsers.

Legitimate looking domains could be fake

Homograph Phishing Attack

The major gaffe caused by the homograph fishing attack is to fake absolutely bogus domain names and make them resemble the exact replicas of services like Apple, Google or Amazon. Most users will not be able to tell the reason why a legitimate domain displays an uncanny error message. In the process, they might end up furnishing sensitive credentials of login and financial accounts.

This could be particularly offensive if the attack is meant to steal sensitive data or asks users to reaffirm their login credentials before moving any further.

Look at these Sample Fake Website

You could say it is almost impossible to beat the website apple.com and yet not be at Apple’s website. However, this is exactly what the researcher has negated in this demo page here. You could experience a slight downtime too as many people are looking up the page right now (including some at Apple, hopefully).

  • Fake apple website
  • Real apple website

The Fake Apple Website

Fake Apple Website

Real Apple Website

The discoverer of the attack Xudong Pengm has written a detailed blog on the same. He says:

“For regular users, it is nearly impossible to say that the site is fraudulent (or at least unauthentic) without looking up the URL of the site or its SSL certificate very carefully.”

In case your browser field is displaying the words “apple.com” and is instead showing the error message instead of the original website, it is a sure case of your web browser being vulnerable to the mischievous homograph attack.

In another website sample research website, Wordfence has successfully mocked the domain name “epic.com” through the use of a complex system of nomenclature while buying the domain.

Real Apple Website

The attack is quite old in itself

The first accounts of homograph attack age back to 2001. However, most browsers have had a hard time trying to fix the attack by themselves. It is a totally spoof attack where researchers/hackers replace the words of the English alphabet with Unicode characters.

Irrespective of how careful you are of such attacks, it is almost impossible to detect the flaw.

Domains are bought using Unicode characters

There are many Unicode characters that represent letters of different languages including Cyrillic, Greek, Armenian in domains that are internationalized for more convenience. On casual glance, these letters look exactly identical to Latin letters. However, they are treated differently by some browsers, showing totally different names in the browser field.

Punycode Attacks

Many modern web browsers make use of “Punycode.” It is a special type of encoding by web browsers that helps to convert Unicode characters to the limited character sets that represent ASCII. This is the accepted set of variations supported by the International Domain Names or IDNs mechanism.

Zheng states that in case someone chooses all the characters from the same foreign language while registering the domain, the loophole of browsers will convert it to the targeted domain name instead of rendering the Punycode format.

xn--80ak6aa92e.com is Equals to Apple.com when converted by browsers

Using the same loophole in the browsers, Zheng registered a domain as xn--80ak6aa92e.com. In most browsers, it swiftly bypasses the protection and appears as apple.com. This includes Chrome, Firefox, and Opera. However, quite interestingly, Internet Explorer, Apple Safari, Vivaldi, Microsoft Edge, and Brave have not shown vulnerability to this kind of attack.

It is noteworthy that the xn-- prefix refers ASCII compatibility coding prefix. This tells web browsers that there is Punycode encoding in the domain.

Instead of the ASCII “a” which is (U+0041), Zheng uses the Cyrillic “a” (U+0430). In this case, this one simple replacement bypasses browser protection.

Zheng has been in touch with the associated browsers and has informed Google and Mozilla in the month of January.

They are Trying Fixes

At the moment, Mozilla is trying different methods to generate a fix. But Google has already been successful in patching this vulnerability in its experimental version of Chrome Canary (59). They have promised that a permanent fix will be rolled out with the Stable 58 version of Google Chrome. The Stable 58 is due for launch later this year.

In the meantime, there are millions of users who are (unknowingly) using Punycode in their browsers. It is highly recommended that they disable Punycode support in their browsers for a while to be able to defend this almost untraceable attack.

Warding off phishing attacks

To use temporary mitigation manually, Firefox users can use this simple method:

  1. Hit about:config in the address field of the browser
  2. Search with Punycode
  3. Locate the title network.IDN_show_punycode and right click; use Toggle and change the setting to True from False. (See image below)
Disable Punycode in Mozilla Firefox

To the dismay of several users, there is no similar available setting that would work for Chrome or Opera and disable the Punycode manually. Chrome users have to be patient and wait for the Stable 58 version of chrome that comes out in a few weeks.

For the moment, there are some browser add-ons that can be used to alert non-techy users every time a domain name contains Unicode characters.

Use Good Password Managers

One good way to bypass such phishing attacks is to make use of a really good password manager. They will store all your login credentials and automatically identify the actual and authentic URLs to which they are linked.

So, the first sign of warning would be the password manager not prompting you to a stored password in the login field.

Fix for non-technical Chrome Users

There is another easy way to get ahead of the game for anyone who finds it difficult to play with settings or install add-ons. Here are the steps:

  1. Always copy the URL and never click on (open tab in new browser)
  2. Paste the URL in the address bar and do not hit enter
  3. The actual URL will appear in its Unicode format

Also, it is always safer to start with copying addresses manually rather than just clicking through them.

ShareTweetPin
Previous Post

5G Network is Here! All you Need to Know About It

Next Post

10 Best Virtual Reality Apps for Samsung Gear VR

Related Posts

Instagram Location tracker 02

TUTORIAL: How I Tracked Someone’s Location using Instagram

03/19
Bitcoin downtrend

Cryptocurrency is trending downwards. Is this a good time to buy in?

06/26
High capacity 1.5tb sdcard

1.5tb microSD Card Is Just Around The Corner

06/27
SpaceX is Set to Launch Four NASA Astronauts to ISS

SpaceX is Set to Launch Four NASA Astronauts to ISS

04/22
Next Post
top 10 best VP apps for samsung gear

10 Best Virtual Reality Apps for Samsung Gear VR

Comments 11

  1. micd says:
    6 years ago

    phishing attack is very outdated nowadays!

    Reply
    • [email protected] says:
      10 months ago

      I cant thank you enough for sharing this insightful post! 😊

      Reply
      • [email protected] says:
        8 months ago

        This was such a well-written and informative article – thank you!

        Reply
    • [email protected] says:
      7 months ago

      Thanks for sharing such valuable information with us in your post.

      Reply
      • [email protected] says:
        7 months ago

        Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on , [email protected], and you can also text, call him, whatsappn on +1(201)4305865, or +1(773)6092741…

        Reply
    • [email protected] says:
      3 months ago

      Hire a hacker to spy cell phone with a certified job may seem like a good idea, But is not easy as you mint think. Hacking into someone’s cell phone without them knowing is very difficult and require ethical service, mostly if you want to get into the user cellphone device to gain access to sensitive information and change settings, Then get a professional hacker will help you out contact [email protected]. if you looking a way to know how to spy on a cell phone without touch the target devices., he able to get it done. Thanks kelvin.

      Reply
  2. rajbhuwan says:
    6 years ago

    dude i need your help

    Reply
  3. [email protected] says:
    2 weeks ago

    Have you ever wondered if your spouse is cheating on you? As my spouse has always been a big time cheat, we have been married for 15 years now and i always suspect him but i wasn’t sure yet so i came in contact with this hacker Fred who i emailed to hack into his phone and he brought me results in 6hours time and i had access to my husband phone i always seeing his text messages, call logs, whats-app, emails, Facebook, deleted text messages and many more without touching my husband phone or him knowing about the hack then i got to see that he has a child outside without telling me i was in pains but thank God for this great hacker for his wonderful help…i must recommend this hacker as a very best professional you can contact him via gmail :fredv[email protected] and you can text,call him on +15177981808

    Reply
  4. [email protected] says:
    2 weeks ago

    MY wife is a very smart woman but i showed her that in every thing a man is always a man well i suspected she was hiding a lot from me, she has a mac-book pro she uses and also a Samsung phone i noticed she was cheating on me so i had to hack her phone but i found out that nothing was on her phone so i also hacked into her mac-book. i could not believe all that i saw on her laptop she has all her major text messages on her mac-book, she uses whats-app on her laptop also i found out that she was in a relationship with my friend who i call my brother i had full access to her mac-book and also read all there messages and so many they always hang out at a hotel on Sundays.. All I saw was too much for me to keep to myself. and also a very big thank you to the hacker that made it possible to be an ethical hacker. contact him on [email protected] and you can text,call him on +15177981808

    Reply
  5. [email protected] says:
    2 weeks ago

    The truly scary thing about undiscovered lies is that they have a greater capacity to diminish us than exposed ones. When people cheat in any arena, they diminish themselves-they threaten their own self-esteem and their relationships with others by undermining the trust they have in their ability to succeed and in their ability to be true. Cheating is the most disrespectful thing one human being can do to another. If you aren’t happy in a relationship, end it before starting another one. respect a person who is loyal in a relationship, by cheating on him or her. If you succeed in cheating on someone, don’t think that the person is a fool, realize that the person trusted you much more than you deserve. If you notice any suspicious act on your partner if he or she is cheating. You need to write MR FRED to help you remotely spoof on the target phone to retrieve text messages, call logs, social media activities, bank information and many more. They deliver the best services and get you the peace of mind you deserve. Email: [email protected] and you can text,call him on +15177981808 Best wishes…

    Reply
  6. [email protected] says:
    4 days ago

    I’m excited to write about [email protected] he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact on: gmail and you can text or whatsapp him on ‪+1 (602) 562‑6646

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Home
  • Forums
  • Request Tool
  • Terms of Use
  • Privacy Policy
  • ABOUT US
  • Contact Us
Email Us at [email protected]

© 2021 Hackolo.com - Hacks and Glitches Portal HACKOLO.

No Result
View All Result
  • Home
  • News
  • Reviews
  • Tips & Tricks
  • Life Hack
  • Games
  • Photography
  • Security

© 2021 Hackolo.com - Hacks and Glitches Portal HACKOLO.

en_USEnglish
fr_FRFrançais es_ESEspañol de_DEDeutsch nl_NLNederlands ro_RORomână en_USEnglish