Google Chrome, Safari, and Opera's logo
Image: Tech Radar.

A new phishing threat appeared online this week, as tech outlets learned of a Punycode exploit that makes Google Chrome and Firefox browsers display fake sites as legitimate ones. Opera is also reportedly affected by this issue.

Even tech-savvy users can fall for this trick, as the URL of a site like apple.com may look the same but be written in different characters. Developer Xudong Zheng first exposed the vulnerability in his blog last Friday.

Chrome developers have quickly patched the bug in the latest build of the browser while Firefox users can tweak their settings to see the real address of the impostor site. Apple’s Safari and Microsoft’s Edge and Internet Explorer were not vulnerable.

What is Punycode and how does it work?

Punycode is a play on words that refers to using Unicode in a deceptive way to display internet addresses. Unicode is a character encoding standard that is commonly used to write all kinds of symbols in computers.

The thing about Unicode is that it encompasses many character encoding subsets or writing systems that end up looking remarkably similar. Some characters are downright indistinguishable, and they have been used to execute what is known as a homograph attack.

Using the modified version as a tool to translate characters into ASCII symbols, scammers can create fake sites with the same URL address as the original one.

For instance, Xudong Zheng set up a false domain that replicates apple.com in a way that is just impossible to notice without taking extreme browsing precautions. Un-encoded, the fake site’s link is xn--80ak6aa92e.com.

These new bogus addresses are made up using a single subset (in this case Cyrillic characters) that are then translated into ASCII using Punycode. In this way, browsers read it as a legitimate site in spite of having a fishy-looking link.

How can I protect myself against Punycode phishing scams?

Firefox and Google Chrome do have defense filters against homograph attacks, but this new technique can bypass them because the URLs are written in just one ‘language’ instead of using a mixture of different characters.

Those using Google Chrome will be glad to know that the only thing they need to do to stay safe is to update their browser to version 58.0.3029.81 or newer. You can check and update Chrome in the More menu, selecting Help, and then About Google Chrome.

In Firefox, developers have restrained from launching a patch citing that webmasters should be free to write their addresses in any language they want, but users can tweak the browser to show Punycode addresses.

From Zheng’s post:

“FIREFOX USERS CAN LIMIT THEIR EXPOSURE TO THIS BUG BY GOING TO about: config AND SETTING network.IDN_show_punycode TO true. THIS WILL FORCE FIREFOX TO ALWAYS DISPLAY IDN DOMAINS IN ITS PUNYCODE FORM, MAKING IT POSSIBLE TO IDENTIFY MALICIOUS DOMAINS.”

Source: Xudong Zheng