Punycode Exploit the Newest Phishing Attack

Bees

[H]ard|Gawd
Joined
Jul 24, 2011
Messages
1,208
In the newest wave of phishing attacks, hackers have seemingly found a method to spoof SSL connected URLs using Punycode exploits. Said exploits are quite clever, and even the most careful user could fall susceptible to this attack.

By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

By taking advantage of how Punycode translates Unicode characters, one is able to register highly valued domain names that a browser will translate into the desired spoof URL. By applying for TLS encryption, a very legitimate phishing attack can be hosted. Interestingly, while Firefox and Opera are susceptible to this problem, Internet Explorer, Microsoft Edge, and Safari are protected. Google Chrome will remedy the issue when version Canary 59 is finalized.
 
Last edited:
Disable foreign chars in url bar (fine for my usage, perhaps not for foreign users): Firefox -> about:config -> punycode -> change to true. Now the demo doesn't work.
 
Should be just kept domain names using standard ASCII characters and been done with it.
 
This problem is easy though, color code url characters that aren't ascii, then it will stand out, at least to the informed.
 
The phishing attack does not work on Edge browser, at least the demo web page does not work.
 
Doesn't work in Vivaldi either, Opera on the other hand behaves more like Chrome.
Both are using Chromium engine, though I'm guessing this has nothing to do with how browser displays text on their address bar.
 
ehm, how about no...
the entire world does not use ascii... Internet is a global thing :)

Tough cookies. The only time I see any moonspeak is when cleaning up infected sites, besides, I'm not saying all content should be in ASCII, just URLS.
 
iOS safari fails

EDIT nvm, I see what its suppose to do....
 
You guys been to those webpages that are like a fake firewall warning, and can't close anything other than using task manager?
Is that some kind of serious attack I can prevent?, because I have had that, and no, not looking porn, the last one I was looking something about Mitsubishi cars, I clicked into some website that was obviously now gone, but it was changed by that windows firewall thing.
 
Already fixed in Chrome 58:
[$2000][683314] Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
[$2000][672847] Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah)
 
You guys been to those webpages that are like a fake firewall warning, and can't close anything other than using task manager?
Is that some kind of serious attack I can prevent?, because I have had that, and no, not looking porn, the last one I was looking something about Mitsubishi cars, I clicked into some website that was obviously now gone, but it was changed by that windows firewall thing.

I have directly pinged Firefox about these sorts of pages, and they only seem to want to deal with them by putting them in the "known attack" list such that you shouldn't be opening them. Once opened, yeah I have to kill the browser. it pops an endless password dialog box that is model while the page talks and flashes.
 
Back
Top