Punycode / Homograph Domain Spoofing

Threat Level: Medium
Threat Type: Phishing
Advisory Date: 07/13/2023

Description

Information Services is recommending that users perform a manual configuration Firefox to help protect against Punycode phishing attacks, also known as a homograph attack.  Firefox will display a website address which looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.  This means that characters from other alphabets such as Greek, Cyrillic, and Armenian in internationalised domain names look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.  Thus, it is possible for a carefully crafted domain in the browser to masquerade as trusted site.  This may trick a user into entering credentials or other information into a unknown website, leading to a phishing attack or even malware distribution.

Impact

This loophole allows a domain name “xn--80ak6aa92e.com” to appear as “apple.com”.  Many other websites may be spoofed.  This may lead to account credentials to be stolen if they are entered into the untrusted site which appears to be a trusted site, both in the domain (website address) and in appearance of the webpages.

This change only impacts Mozilla Firefox, as no update is available.

Browsers not impacted include: Internet Explorer, Microsoft Edge, Apple Safari.  Chrome will be updated in version 58, so it is recommended to update as soon as possible.

Resolution

Users must go into their Firefox browser settings and manually make the security changes required.

  1. Type about:config in address bar and press enter
  2. Type Punycode in the search bar.
  3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to True.

Other good practice is to Click on the padlock to display the HTTPS certificate. This shows the domain name for which the certificate was issued using the DNS-friendly, ASCII-only format, so if the name starts xn-- then you are looking at a punycode domain which has been spoofed, regardless of how it may look like in the address bar.

Resources

For further reading, please see the following references:

Sophos: Phishing with Punycode when foreign letters spell English words 

The Hacker News: This Phishing Attack is Almost Impossible to Detect

The Register: That apple.com link you clicked on? Yeah, it's actually Russian 

Please contact the IT Support Centre if you have any questions or require assistance:

Email IT.Support@uregina.ca

Phone 306-585-4685

Webform http://www.uregina.ca/is/forms/ticket.html

In Person at ED 137 or Archer Library Commons