Punycode Exploit the Newest Phishing Attack

Discussion in '[H]ard|OCP Front Page News' started by Bees, Apr 19, 2017.

  1. Bees

    Bees [H]ard|Gawd

    Messages:
    1,089
    Joined:
    Jul 24, 2011
    In the newest wave of phishing attacks, hackers have seemingly found a method to spoof SSL connected URLs using Punycode exploits. Said exploits are quite clever, and even the most careful user could fall susceptible to this attack.

    By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

    By taking advantage of how Punycode translates Unicode characters, one is able to register highly valued domain names that a browser will translate into the desired spoof URL. By applying for TLS encryption, a very legitimate phishing attack can be hosted. Interestingly, while Firefox and Opera are susceptible to this problem, Internet Explorer, Microsoft Edge, and Safari are protected. Google Chrome will remedy the issue when version Canary 59 is finalized.
     
    Last edited: Apr 19, 2017
  2. fairlane

    fairlane Limp Gawd

    Messages:
    287
    Joined:
    Jun 18, 2004
  3. xorbe

    xorbe [H]ardness Supreme

    Messages:
    5,679
    Joined:
    Sep 26, 2008
    Disable foreign chars in url bar (fine for my usage, perhaps not for foreign users): Firefox -> about:config -> punycode -> change to true. Now the demo doesn't work.
     
  4. CacaSapo

    CacaSapo Limp Gawd

    Messages:
    380
    Joined:
    Feb 22, 2010
    Should be just kept domain names using standard ASCII characters and been done with it.
     
  5. ole-m

    ole-m Limp Gawd

    Messages:
    165
    Joined:
    Oct 5, 2015
    ehm, how about no...
    the entire world does not use ascii... Internet is a global thing :)
     
  6. U-238

    U-238 [H]Lite

    Messages:
    80
    Joined:
    Aug 14, 2008
    The entire world should use ASCII. Because it's much better.



    cuz murica :cool:
     
    DF-1 and CacaSapo like this.
  7. xorbe

    xorbe [H]ardness Supreme

    Messages:
    5,679
    Joined:
    Sep 26, 2008
    This problem is easy though, color code url characters that aren't ascii, then it will stand out, at least to the informed.
     
    xX_Jack_Carver_Xx likes this.
  8. bbqrooster

    bbqrooster Limp Gawd

    Messages:
    154
    Joined:
    Aug 14, 2011
    The phishing attack does not work on Edge browser, at least the demo web page does not work.
     
  9. heatlesssun

    heatlesssun Pick your own.....you deserve it.

    Messages:
    46,050
    Joined:
    Nov 5, 2005
    It doesn't work in Edge, IE, Safari and a couple of others.
     
  10. Dunamis

    Dunamis [H]ard|Gawd

    Messages:
    1,918
    Joined:
    Jun 30, 2004
    Doesn't work in Vivaldi either, Opera on the other hand behaves more like Chrome.
    Both are using Chromium engine, though I'm guessing this has nothing to do with how browser displays text on their address bar.
     
  11. CacaSapo

    CacaSapo Limp Gawd

    Messages:
    380
    Joined:
    Feb 22, 2010
    Tough cookies. The only time I see any moonspeak is when cleaning up infected sites, besides, I'm not saying all content should be in ASCII, just URLS.
     
  12. EvilWays

    EvilWays [H]ard|Gawd

    Messages:
    1,489
    Joined:
    Apr 9, 2006
    Time to go back to EBCDIC. :D
     
  13. 86 5.0L

    86 5.0L [H]ardness Supreme

    Messages:
    6,132
    Joined:
    Nov 13, 2006
    iOS safari fails

    EDIT nvm, I see what its suppose to do....
     
  14. Uvaman2

    Uvaman2 [H]ard|Gawd

    Messages:
    1,163
    Joined:
    Jan 4, 2016
    You guys been to those webpages that are like a fake firewall warning, and can't close anything other than using task manager?
    Is that some kind of serious attack I can prevent?, because I have had that, and no, not looking porn, the last one I was looking something about Mitsubishi cars, I clicked into some website that was obviously now gone, but it was changed by that windows firewall thing.
     
  15. Inq

    Inq n00bie

    Messages:
    20
    Joined:
    Aug 31, 2008
    Already fixed in Chrome 58:
    [$2000][683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
    [$2000][672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
     
  16. xorbe

    xorbe [H]ardness Supreme

    Messages:
    5,679
    Joined:
    Sep 26, 2008
    I have directly pinged Firefox about these sorts of pages, and they only seem to want to deal with them by putting them in the "known attack" list such that you shouldn't be opening them. Once opened, yeah I have to kill the browser. it pops an endless password dialog box that is model while the page talks and flashes.