If readers use Chrome, Internet Explorer or Firefox as their web browser, this link may appear to be apple.com to them — but it isn't. In fact, it's a domain name in a non-English language, designed to look exactly the same.
#Chrome #Firefox affected by IDN homograph attack https://t.co/GWocPaLmXK #infosec #phishing #unicode pic.twitter.com/viiHWxgFSr
— Nowhere Man (@davidonzo) April 18, 2017
This practice of domain disguise is called a "homograph attack" — browser providers claimed to have eradicated the issue in the mid-00s, after falsified sites skimmed thousands from unsuspecting users, but the reverse is plain to see.
Chrome, Firefox, and Opera vulnerable to Homograph Attack though IE, Edge, Safari, Brave & Vivaldi Browsers are safe https://t.co/b7i7FPmuRL
— The Hacker News (@TheHackersNews) April 17, 2017
The problem stems from the internet's very origins — as a US invention, which hosts a network innovated in the UK (the worldwide web), the internet's addressing systems are only designed to accommodate English, and the classic Western keyboard (QWERTY etc.).
Efforts have been undertaken by net engineers in recent years to broaden the internet's language, but they have struggled to accommodate languages such as Cyrillic, as they contain symbols that are identical to letters in the English alphabet, that denote different letters entirely. For instance, a Cyrillic B is in fact an English V.
Net criminals can exploit this blindspot by creating links that appear as "Apple" and "Amazon," but direct users to sites that are anything but. The US-based organization in charge of the net's domain name system, ICANN, identified the issue as serious as far as 2005.
"ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs [internationalized domain names] become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs," the body said at the time.
Over a decade later, evidently little has been done to rectify the issue — despite flareups in the activity's usage at fairly regular intervals. This time round, web villains created a site, raural.com, that displayed as paypal.com — although quickly identified as a scam, some less discerning internet users were duly conned.
ICANN is certainly able to develop policies that would make the practice impossible, but has failed to do so — most browser providers have been similarly lethargic, at best introducing shortcuts to report phishing sites, at worst doing nothing. Firefox is the only browser as of April 2017 to actively attempt to limit abuse of the digital loophole, placing a modicum of restriction on mixing different language scripts.
Can you tell which is phishing?
— Michael Coates (@_mwc) April 15, 2017
You can't. That's the problem with Unicode look-a-like character substitution. https://t.co/431d4dNwGT pic.twitter.com/r18CLNCXcE
Firefox users can reduce the risk of being tricked by some rudimentary coding — visiting about:config, and setting network.IDN_show_punycode to true. Chrome devotees need only wait for the release of the browser's 58th iteration in May, which allegedly blocks the issue outright.
The threat of phishing has grown significantly in the new millennium, although this shouldn't surprise — cyberscams are a lucrative business.
Norton Cyber Security has calculated global cybercrime reaped US$126 billion in 2015, affecting 689 million people in 21 different countries. Furthermore, the firm estimates the threat grows by an average of 10 percent annually, suggesting many more billions are seized from many more millions of people in many more countries in 2017.
