This is a time when people like to hunt for Easter eggs. Either the traditional ones or the clever ones that are hidden by software vendors. Both of these are fun. However, this one is more a rotten egg and it could cost us dearly if we don’t pay attention. And it all starts with punycodes and fake domains. The good news is there are several workarounds.
Yes, I know the term “punycode” is unusual. In a nutshell, it’s a type of code that is used to translate foreign letters. It’s actually very useful and makes the web more global by not restricting people to certain character sets. You can see an example below.
At this point, you’re probably saying the differences are obvious and how could there be a security problem? Let’s start with the web browser.
Fake Domains (Bait & Switch)
While the image above was easy to see the differences, that isn’t always the case with web browsers. In fact, Xudong Zhen wrote a technical article on his site about this issue. Better yet, he set up an example you can see.
Most people would say that this was Apple’s site and would be reassured by the green padlock. But it’s not. It’s part of a “proof of concept“. Before you click to the site, hover over the link and see what shows as the address in the status bar in the lower left. It shows as https://www.apple.com. Again this looks legit.
If you were to right-click and inspect the link, you would not see apple.com. Instead, it’s a strange-looking domain.
On the front-end, the browser has translated xn--80ak6aa92e to apple. However, the HTML shows the original one.
Where’s the Danger?
While Xudong’s site was designed as a “proof of concept”, problems exist now. This has been a recurring problem with browser vendors. Various scammers have been buying Unicode domain names and making them look identical to the original. These tend to be sites that require user authentication like banks, brokerage firms, etc. The idea is to collect usernames and passwords. Sadly, many people tend to use the same credentials across multiple sites instead of using a password manager.
The good news is that not all browsers work the same. In fact, Apple’s Safari browser and Internet Explorer would provide warnings. The main problems are with Google Chrome and Firefox. Chrome is scheduled for an update, but Firefox has a manual fix.
The biggest danger is probably from clicking links in emails. This is just another variation of a phishing scenario. If you don’t know the sender, don’t click. Most email programs, like Gmail, have an option to “Show original” message. With Google, click the down triangle next to the Reply button. You can then see the real link.
The Firefox fix is relatively simple, but you may get a security message.
- Open Firefox
- In the address bar, type “about:config“
- Click button to accept risk.
- In the search box, type puny. There should be an for network.IDN_show_punycode
- Double-click the “false” value to turn it to “true”
While the browser vendors work to protect us from these fake domains, we still need to be vigilant. Scammers are getting craftier all the time as there is big money with these schemes even if they are short-lived.
One last tip for Google Chrome users. If you find yourself on a site and aren’t sure it’s legit,
- Click in the address bar.
- Press Ctrl+A to hightlight the whole URL.
- Press Ctrl+C to copy the URL.
- Press Ctrl+V to repaste the URL.
- You should now see the original URL.