Last week we discovered the use of Punycode phishing, a system that allows International Domain Names (IDNs) to be registered using characters that can’t be written in ASCII (American Standard Code for Information Interchange), easily tricking even the most advanced internet users by making the website address look legitimate.
This week, we will focus on how to prevent these attacks, and protect ourselves from them.
Preventing Homograph Phishing Attacks in Firefox
If you can’t read Cyrillic writing, you don’t lose anything by seeing domain names in their Punycode format – in fact, you gain a lot by not seeing them as misleading fake-English text.
Firefox users can complete the following steps to manually apply temporary protection against Punycode Phishing attacks:
- Open a new tab in Firefox
- Type about:config in address bar and press Enter.
- Click the “I accept the risk!” button.
- Type Punycode in the search bar.
- A ‘Preference Name’ titled: IDN_show_punycode will be displayed – Right-Click and select Toggle to change the ‘Value’ field from False to True.
- Close the ‘about:config” tab.
Protecting Yourself from Online Attacks
Homograph attacks are extremely difficult to detect based on their deployment method, major browser vendors are working to patch them to ensure user safety, below are some tips from our expects outlining a list of simple things you can do to protect yourself from them. Some of these steps will also protect you from other types of online attacks as well.
- Set Firefox to display Punycode names. See steps above for changing the about:config settings in Firefox.
- Click on the padlock to display the HTTPS certificate. This will show the domain name that the certificate was issued for in ASCII-only format. If the name starts with ‘xn’ it is a Punycode domain, no matter what it looks like in the address bar. (Note: You can get even more information by clicking on ‘View Certificate‘ option.)
- You can also check the legitimacy of URLs by copying them out of the web browser and pasting them into a text editor. A spoofed URL only appears legitimate, but it actually uses an address beginning with “www.xn--” which will be revealed for what is actually is once taken outside the browser’s address bar. Zheng’s fake Apple.com site, for example, uses the address https://www.xn--80ak6aa92e.com.
- Use a Password Manager. The software will automatically enter in your login credentials for the actual domains they are linked to, which helps reduce the risk of pasting passwords into any incorrectly-named site. The password manager will never match your Apple (ASCII) password with an Apple (Cyrillic) domain name, no matter what character encoding system is used.
- It is recommended to always manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link from a website or email. This will ensure that you are always visiting the legitimate website.