Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

This is the most authentic phishing site I've ever seen - fixedByVonnie

This is the most authentic phishing site I’ve ever seen

There’s a new phishing site proof of concept on the block and I guarantee you it would trick you.  Think I’m kidding? Check this out.

There is a relatively unknown phishing technique known as a homograph attack which can make it easy for an attack to swap some ASCII characters for Cyrillic equivalents.

For example, the “a” in the word “apple” has a Cyrillic equivalent that looks 100% identical to a normal “a”.

Take the below site for example and look at the address bar.

Punycode 'a's

Can you tell that this is a phishing site from the URL?

Phishing site

It looks like the real deal right?

But it’s not.

I think we should take a moment to stop and consider the implications for a moment.

As an attacker, I could go and register a domain name that looks like Apple.com but is really https://www.xn--80ak6aa92e.com/

That xn-- prefix is what’s known as the format and the browser is interpreting and decoding xn--80ak6aa92e as apple.com.

So then the attack clones the real Apple.com (this is super easy but I won’t get into that here) – now they have a site that looks identical to apple.com. The only difference is it’s an attack controlled site so when you click on a link to buy the iPhone 8 and enter your credit card data it’s going into the attackers database NOT Apple’s!

This is obviously bad news.

One way to get around this is to update Chrome

Type in:

chrome://help

Upgrade Chrome

then relaunch Chrome and it should fix the problem.

Chrome 58

You need to be at least at version 58.0.3029.81 to have the protections in place.

Let me show you another example of a fake site:

Security researches at WordFence registered a puniocode version of the real healthcare website known as epic.

Here is the real Epic website at https://www.epic.com/

Epic Website

There’s nothing phishy here now let’s look at the phishing epic website.  You can find it here: (don’t worry it’s safe to click – it’s just a proof of concept created by the good guys at WordFence)

https://www.xn--e1awd7f.com/

epic phishing site

Can you tell the difference? Well, besides the title of the tab?

The only way I could distinguish the two was when I copied the phishing URL to the clipboard and pasted it.  Only then does it show it’s real source:

https://www.xn--e1awd7f.com/

So this is obviously bad.

Again the way to fix it in Chrome is to upgrade but Firefox is still vulnerable (unless you use this little hack to fix it)

In Firefox, type in about:config in the address bar

FireFox About Config

You’re going to see a scary screen about voiding your warranty.  Don’t ignore this – because you very well could do irrevocable damage to your browser if you don’t know what you’re doing – that’s why you’re going to follow my instructions so you don’t goober things up.

Click “I accept the risk”

Now type “punycode” in the search box.  You should see:

network.IDN_show_punycode show up.

Enabling punycode in Firefox

Double click the Value column to change the value from False to True and you should be good to go.

About

Connect with Vonnie on Twitter

Posted in Apple, Google Chrome, Malware, Mozilla Firefox, Security Tagged with: , , ,
  • Skygazer

    Yeah we got case like these daily by the hundreds in AppleCare. So many customers were falling for similar phishing websites and/or emails…