April 18, 2017 By Larry Loeb 2 min read

Chinese security researcher Xudong Zheng found a way to work around add-on filters to render URLs as Punycode. He discovered characters within Unicode that could serve as functional substitutes for Latin alphabet characters and potentially allow fraudsters to mask phishing attacks. Since these characters were from only one language, using them does not trip the exclusionary filters imposed by the browsers.

For example, Zheng registered a certain domain that would display as “apple.com,” but was really composed of Cyrillic characters. This demonstrated a good proof of concept for potential phishing schemes.

Bleeping Computer reported that this vulnerability affects Chrome, Firefox and Opera browsers. Other browsers such as Edge, Internet Explorer, Safari, Vivaldi and Brave displayed the correct behavior by showing the Punycode.

A Flawed Industry Standard

Years ago, the Internet Corporation for Assigned Names and Numbers (ICANN) allowed allow non-ASCII (Unicode) characters to be present in web domains, but the firm quickly realized that this action could lead to some problems. Various characters from different languages can be confused for Unicode, since they will look the same in a browser display. Ultimately, this could enable a phishing attacker to display inaccurate URLs to victims.

To combat this, ICANN announced that Punycode, a way to represent Unicode within the limited character subset of ASCII used for internet host names, would specify actual domain registration. It was thought that browsers would first read the Punycode URL and then transform it into displayable Unicode characters inside the browser.

But like Unicode, Punycode could also hide phishing attempts through characters found in different languages. In response to this, vendors introduced add-on filters to render URLs as Punycode rather than Unicode if they contained characters from different languages.

According to Bleeping Computer, the browser-makers thought this would stop the substitutions from happening in the URL. Zheng’s research demonstrated otherwise.

Defense Against Phishing Attacks

In response to this vulnerability, Google decided to include a fix in Chrome 58, which will be released in late April, Zheng wrote.

Mozilla has not yet revealed its plans to resolve this situation. There is, however, a simple workaround for Firefox that disables Punycode support. To start, enter “about:config” in the Firefox address bar. Then enter “network.IDN_show_punycode” and set this option to “true” with a double-click.

This sort of homonym attack has been known for a while, and it was thought to be mitigated. It appears that a clever attack can still be performed using this method, placing internet users at risk of a phishing attack.

More from

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today