Can Your Eyes Spot this Security Problem?

When you look at an address in your browser, do you ever consider it might not be the site you think? Scammers are getting smarter with how they hide their fake domains. These domains are real, but what you see may not be what you want. Initially, people substituted 0’s for o’s or 1’s for i’s. We’ve wised up to that trick, but now we have punycodes.

Punycode What?

Yes, I know the term “punycode” is unusual. In a nutshell, it’s a type of code that is used to translate foreign letters. It’s instrumental in making the web more global by not restricting people to certain character sets. You can see an example below.

example of punycode
Punycode example from Punycoder.com

At this point, you’re probably saying the differences are obvious, and how could there be a security problem? Let’s start with the web browser.

Fake Domains (Bait & Switch)

While the image above was easy to see the differences, that isn’t always the case with web browsers. In fact, Xudong Zhen wrote a technical article on his site about this issue. Better yet, he set up an example you can see.

example of IDN code in address bar
Is this Apple.com or a fake domain?

Most people would say that this was Apple’s site and would be reassured by the green padlock. But it’s not. It’s part of a “proof of concept.” Before you go to the site, hover over the link and see the lower-left status bar’s address. It shows as https://www.apple.com. Again this looks legit.

If you were to right-click and inspect the link, you would not see apple.com. Instead, it’s a strange-looking domain.

Punycode example in Chrome Dev tools.
Chrome DEV tools show a different domain.

On the front-end, the browser has translated xn--80ak6aa92e to apple. However, the HTML shows the original one.

Where’s the Danger?

While Xudong’s site was designed as a “proof of concept,” problems exist now. This has been a recurring problem with browser vendors. Various scammers have been buying Unicode domain names and making them look identical to the original. These tend to be sites that require user authentication, like banks, brokerage firms, etc. The idea is to collect usernames and passwords. Sadly, many people tend to use the same credentials across multiple sites instead of using a password manager.

The good news is that not all browsers work the same. In fact, Apple’s Safari browser and Internet Explorer would provide warnings. The main problems are with Google Chrome and Firefox. Chrome is scheduled for an update, but Firefox has a manual fix.

The biggest danger is probably from clicking links in emails. This is just another variation of a phishing scenario. If you don’t know the sender, don’t click. Most email programs, like Gmail, have an option to “Show original” message. With Google, click the down triangle next to the Reply button. You can then see the real link.

Looking at original source of Gmail.
“Show Original” feature in Gmail

Fixing Firefox

The Firefox fix is relatively simple, but you may get a security message.

  1. Open Firefox
  2. In the address bar, type “about:config
  3. Open Firefox Config panel
    Open Firefox Config panel
  4. Click the button to Accept the risk and Continue.
  5. In the search box, type puny. There should be an entry for network.IDN_show_punycode
  6. Double-click the “false” value to turn it to “true.”
Punycode option in Firefox config settings.

Final Thoughts

While the browser vendors work to protect us from these fake domains, we still need to be vigilant. Scammers are getting craftier as there is big money with these schemes, even if they are short-lived.

One last tip for Google Chrome users. If you find yourself on a site and aren’t sure it’s legit,

  1. Click in the address bar.
  2. Press Ctrl+A to highlight the whole URL.
  3. Press Ctrl+C to copy the URL.
  4. Press Ctrl+V to repaste the URL.
  5. You should now see the original URL.