Unicode Character Based Phishing Attacks Register Domains That Look Exactly Identical To Real Domains

There has been a substantial growth in both the frequency and sophistication of Phishing attacks over the last couple of years, with one of the most popular ones being the iCloud hack of celebrities that resulted in the release of a huge dump of nude pictures.

Basically, Phishing is a type of social engineering attack often used to steal sensitive data, including login credentials and credit card numbers, password, social security numbers etc.

It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

Once the unsuspecting recipient is tricked into clicking a malicious link, they are lead install of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

The key to a successful attack is the ability to hide the identity of the malicious website by using a combination of tricks that allow the malicious website to look very similar to the valid website.

In this new variant of phishing, initially reported by Wordfence, the WordPress security company, hackers are able to clone a domain that looks like the original thereby increasing the percentage of success for these hacks drastically.

By using a combination of Unicode characters to register domains that look exactly identical to real domains. Once these domains have been registered they can be used in phishing attacks to fool users into signing into a fake website and thereby deceiving unsuspecting users into divulging sensitive information.

The security folks at WordFence created a demo to illustrate the vulnerability. In the demonstration, they were successfully able to register a domain that looks exactly like the popular health website called Epic.com.

When you visit the website epic.com in your browser, you will notice that it sends you to the original website as pictured in the screenshot below:

The fake/malicious epic.com domain can be viewed here https://xn--e1awd7f.com/. You can see from the screenshot below that the address bar is exactly identical and a regular user will not be able to disguise this from the original website.

This particular vulnerability affects the most recent version of Google’s Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not currently affect Internet Explorer or Safari browsers.

As pictured in the screenshots above they had successfully cloned the real epic.com website. Once an attacker is able to do this, they can then start emailing people and try to get them to sign into our fake healthcare website which would hand over their sensitive credentials to us.

There’s currently no way to fix in Chrome for this. Chrome have already released a fix in their Canary release, which is their test release. This should be released to the general public within the next few days. However, there is a fix that you can do in firefox by typing about:config and then searching for punycode. Once you find that, you can change a parameter named: network.IDN_show_punycode to true

Further Reading:
Phishing with Unicode Domains
Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites