Punycode Exploit the Newest Phishing Attack

Bees

[H]ard|Gawd
Joined
Jul 24, 2011
Messages
1,208
In the newest wave of phishing attacks, hackers have seemingly found a method to spoof SSL connected URLs using Punycode exploits. Said exploits are quite clever, and even the most careful user could fall susceptible to this attack.

By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

By taking advantage of how Punycode translates Unicode characters, one is able to register highly valued domain names that a browser will translate into the desired spoof URL. By applying for TLS encryption, a very legitimate phishing attack can be hosted. Interestingly, while Firefox and Opera are susceptible to this problem, Internet Explorer, Microsoft Edge, and Safari are protected. Google Chrome will remedy the issue when version Canary 59 is finalized.
 
Last edited:

xorbe

Supreme [H]ardness
Joined
Sep 26, 2008
Messages
6,028
Disable foreign chars in url bar (fine for my usage, perhaps not for foreign users): Firefox -> about:config -> punycode -> change to true. Now the demo doesn't work.
 

CacaSapo

Limp Gawd
Joined
Feb 22, 2010
Messages
398
Should be just kept domain names using standard ASCII characters and been done with it.
 

xorbe

Supreme [H]ardness
Joined
Sep 26, 2008
Messages
6,028
This problem is easy though, color code url characters that aren't ascii, then it will stand out, at least to the informed.
 

bbqrooster

Limp Gawd
Joined
Aug 14, 2011
Messages
207
The phishing attack does not work on Edge browser, at least the demo web page does not work.
 

Dunamis

[H]Lurker Supreme[/H]
Joined
Jun 30, 2004
Messages
2,220
Doesn't work in Vivaldi either, Opera on the other hand behaves more like Chrome.
Both are using Chromium engine, though I'm guessing this has nothing to do with how browser displays text on their address bar.
 

CacaSapo

Limp Gawd
Joined
Feb 22, 2010
Messages
398
ehm, how about no...
the entire world does not use ascii... Internet is a global thing :)

Tough cookies. The only time I see any moonspeak is when cleaning up infected sites, besides, I'm not saying all content should be in ASCII, just URLS.
 

86 5.0L

Supreme [H]ardness
Joined
Nov 13, 2006
Messages
7,069
iOS safari fails

EDIT nvm, I see what its suppose to do....
 

Uvaman2

2[H]4U
Joined
Jan 4, 2016
Messages
3,143
You guys been to those webpages that are like a fake firewall warning, and can't close anything other than using task manager?
Is that some kind of serious attack I can prevent?, because I have had that, and no, not looking porn, the last one I was looking something about Mitsubishi cars, I clicked into some website that was obviously now gone, but it was changed by that windows firewall thing.
 

Inq

n00b
Joined
Aug 31, 2008
Messages
19
Already fixed in Chrome 58:
[$2000][683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
[$2000][672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
 

xorbe

Supreme [H]ardness
Joined
Sep 26, 2008
Messages
6,028
You guys been to those webpages that are like a fake firewall warning, and can't close anything other than using task manager?
Is that some kind of serious attack I can prevent?, because I have had that, and no, not looking porn, the last one I was looking something about Mitsubishi cars, I clicked into some website that was obviously now gone, but it was changed by that windows firewall thing.

I have directly pinged Firefox about these sorts of pages, and they only seem to want to deal with them by putting them in the "known attack" list such that you shouldn't be opening them. Once opened, yeah I have to kill the browser. it pops an endless password dialog box that is model while the page talks and flashes.
 
Top