Phishing Through Homographs: You Might Not Be Seeing What You Are Actually Seeing

For those who primarily visit websites strictly in English, we expect to see a letter or character in a browser URL and that is exactly what it is…for the most part. There are exceptions to the rule now, and those are what are allowing phishers to trick us if we merely visit a website. It has to do with the conversion of Roman characters, used in English language, and those that are not. The latter are what phishers are using against us as the Internet expands across the globe.

So far, researchers have found that Safari and Internet Explorer address this problem completely and those using these two browsers should be protected. Chrome addressed this in Chrome 58 (the latest version is Chrome 59). Firefox users however, are behind the curve and are still vulnerable to this.

A homograph is usually a word that is spelled the same as another, but means something different. There are a lot of these in the English language; bass, bat, fine, lead, project, tear, wind, etc. In this particular case, there are words that are spelled differently, but they look the same when you see them in a website address. This is a problem with characters used in international domain names (IDN). Some of the characters used, such as Cyrillic or Kanji aren’t represented in the original 26 Roman characters (or the numbers 0-9 plus the hyphen) that were used to translate domain names to a set of code on the Internet. So, they are not necessarily translated correctly when the address is converted and directed to a website.

Well, phishers are using this to their advantage and registering domains that appear to be legitimate when viewed in the browser address bar. One example of it not working is converting “apple” from Cyrillic to Roman characters. It converts to look exactly the same, but it isn’t. This means that someone who isn’t aware of this problem would be none the wiser that the site was malicious.

So, in case the displayed page is a clone of the legitimate page there is no reason to doubt regarding its authenticity.

If you come across a site that asks you to install a new font, you might want to take a second look at it to make sure you didn’t make a typo. Try retyping it to see if that dialogue disappears. If not, there is a good chance you’re being phished or the site has been hijacked and you may want to skip a visit to that site.

The positive side of this is that developers have figured out a workaround to allow international characters to convert in other browsers. This allows anyone who registers an international domain name (IDN) to have their site converted so the address is in the native language for those who type it in that way, such as using the umlaut or kanji characters. This allows us all to be globally connected. And it works most of the time. Just beware of the few times it doesn’t. Make sure to update your browsers and keep all device software updated too.

© Copyright 2017 Stickley on Security