This is the most authentic phishing site I’ve ever seen

There’s a new phishing site proof of concept on the block and I guarantee you it would trick you.  Think I’m kidding? Check this out.

There is a relatively unknown phishing technique known as a homograph attack which can make it easy for an attack to swap some ASCII characters for Cyrillic equivalents.

For example, the “a” in the word “apple” has a Cyrillic equivalent that looks 100% identical to a normal “a”.

Take the below site for example and look at the address bar.

Punycode 'a's

Can you tell that this is a phishing site from the URL?

Phishing site

It looks like the real deal right?

But it’s not.

I think we should take a moment to stop and consider the implications for a moment.

As an attacker, I could go and register a domain name that looks like Apple.com but is really https://www.xn--80ak6aa92e.com/

That xn-- prefix is what’s known as the format and the browser is interpreting and decoding xn--80ak6aa92e as apple.com.

So then the attack clones the real Apple.com (this is super easy but I won’t get into that here) – now they have a site that looks identical to apple.com. The only difference is it’s an attack controlled site so when you click on a link to buy the iPhone 8 and enter your credit card data it’s going into the attackers database NOT Apple’s!

This is obviously bad news.

One way to get around this is to update Chrome

Type in:

chrome://help

Upgrade Chrome

then relaunch Chrome and it should fix the problem.

Chrome 58

You need to be at least at version 58.0.3029.81 to have the protections in place.

Let me show you another example of a fake site:

Security researches at WordFence registered a puniocode version of the real healthcare website known as epic.

Here is the real Epic website at https://www.epic.com/

Epic Website

There’s nothing phishy here now let’s look at the phishing epic website.  You can find it here: (don’t worry it’s safe to click – it’s just a proof of concept created by the good guys at WordFence)

https://www.xn--e1awd7f.com/

epic phishing site

Can you tell the difference? Well, besides the title of the tab?

The only way I could distinguish the two was when I copied the phishing URL to the clipboard and pasted it.  Only then does it show it’s real source:

https://www.xn--e1awd7f.com/

So this is obviously bad.

Again the way to fix it in Chrome is to upgrade but Firefox is still vulnerable (unless you use this little hack to fix it)

In Firefox, type in about:config in the address bar

FireFox About Config

You’re going to see a scary screen about voiding your warranty.  Don’t ignore this – because you very well could do irrevocable damage to your browser if you don’t know what you’re doing – that’s why you’re going to follow my instructions so you don’t goober things up.

Click “I accept the risk”

Now type “punycode” in the search box.  You should see:

network.IDN_show_punycode show up.

Enabling punycode in Firefox

Double click the Value column to change the value from False to True and you should be good to go.

About

Connect with Vonnie on Twitter

Posted in Apple, Google Chrome, Malware, Mozilla Firefox, Security Tagged with: , , ,