'Impossible to Identify' Website Phishing Attack Leaves Chrome & Firefox Users Vulnerable (But You Can Prevent It)
Sophisticated hackers have been exploiting vulnerabilities in Chrome and Firefox to trick even the most careful internet users into logging into fake domains for sites like Apple, Google, and Amazon.
Typically, a careful internet user would always check the domain of any site before logging in to ensure that the site does indeed read "apple.com" or "chase.com" in the address bar with a valid HTTPS connection. If the URLs were "apples.com" or "chaise.com," you'd know that they were probably phishing pages ready to steal your information.
However, with a phishing technique called a homograph attack, the URLs will look legit, but the content on the page you are loading comes from a different server. Xudong Zheng, an InfoSec researcher who wrote about this type of attack recently, noted that it is an "impossible to identify" bug in Firefox and Chrome used to steal a user's login credentials, financial information, and other sensitive information.
For instance, click on this demo link (it may not work if the server is overloaded) created by Zheng to see how easily a phishing attack could occur just by intercepting your browser's server before linking to a legitimate site.
How is this possible? The attack works by registering a domain name using Unicode-encoded characters that look identical to the ASCII equivalents of the site you want to phish. Although Unicode and ASCII characters are not identical to each other, Unicode is a superset of ASCII, but generally doesn't fit into all of ASCII's characters.
To register Unicode characters in domain names, one simply needs to encode the characters with Punycode to come up with the ASCII equivalent that the International Domain Name system requires for registering domain names. As most modern browsers now automatically unencode the Punycode-encoded domain names in their address bars back into Unicode, they look functionally identical to the ASCII domains they're trying to impersonate.
It is possible to register domains such as "xn--pple-43d.com", which is equivalent to "apple.com". It may not be obvious at first glance, but [my] "apple.com" uses the Cyrillic "a" (U+0430) rather than the ASCII "a" (U+0041).
So, when a spammer uses non-ASCII characters that look identical to their ASCII equivalents, you end up with scenarios where they can register specially crafted domain names that look like "chase.com" or "paypal.com" in your browser's address bar. This is how the current phishing attack — a homograph attack — is able to plague your browser.
Chrome and Firefox's browsers fail to recognize the impersonation of ASCII domains using Unicode that aren't on foreign TLDs, allowing for something as simple as a Cyrillic "a" to be used in place of the ASCII "a" on a dot com site. The two may look the same to the naked eye, but they are certainly not, and so the homographic attack takes place. Your browser will read "apple.com," but if you copy and paste the link, it will actually look like https://www.xn--80ak6aa92e.com.
Zheng has alerted the teams behind both Chrome and Firefox. Chrome has proceeded to fix the loophole for Chrome 59 (currently in an advanced beta release), and the company is also working to include the fix for the upcoming Chrome 58 public release, which will be pushed out at the end of April. Firefox has yet to address this issue even though Zheng alerted the company's team back in January.
Initially, Mozilla had the issue listed as "WONTFIX" on Bugzilla, but then reopened the case; Zheng noted on April 14 that the Firefox browser remains vulnerable still.
In the meantime, there are a few steps you can take to prevent the bug from attacking your browser.
Chrome users have to manually re-type the domain name portion of URLs (vs clicking them in emails you receive) until the update comes out as there is no setting to prevent the current phishing attack manually, but for Firebox, there is a way.
Type about:config in your address bar, press enter, and accept the risk. Then search for "Punycode." A parameter titled network.ID_show_punycode will appear in your browser settings. Double-click on the parameter to toggle the "Value" from false to true.
There are also a couple more options to prevent phishing attacks on any browser.
Highly recommended is implementing a password manager software with a browser extension such as LastPass, so everytime you need to log into any of your financial sites or social media accounts, LastPass will ensure that you are providing your account details to the legitimate site that you have saved in your password manager folder.
If the domain you come across looks like "facebook.com," but is actually a phishing site, LastPass will not automatically provide you with your login details, and instead, will detect it, alerting you that the site is not actually the legit Facebook you usually log into.
If you aren't interested in adding a password manager software to your browser, then another option is to always manually enter the domain name of any site that you need to provide personal info to.
Another option includes adding on a third-party Chrome extension such as Punycode Alert, which alerts you anytime you come across a Unicode domain in your browser.
As a hacker, this homograph attack is definitely something worth experimenting with to add to your phishing knowledge, and as a regular user, something you should be on the look out for.