Two things will survive a nuclear holocaust: Cockroaches and crafty URLs like ғасеьоок.com

Pesky phishing pages using international domain names just won't go away

It's been known for a long while that people can use similar-looking non-Roman characters to create internet addresses that look similar to real ones.

These dishonest URLs have been doing the rounds for years. And, sadly, the abuse of homographs to craft dodgy web addresses continues well into this day, according to security researchers.

In an extensive review of top brands – including: tech companies like Apple, Google, Facebook; banks and cryptocurrency burgs like Bank of America, Poloniex and Coinbase; and sites like the New York Times, Wikipedia and Walmart – Farsight Security discovered that scammers had gone to some lengths to register domains similar to the real thing in an attempt to phish unsuspecting internet users.

In the worst cases, the researchers found websites masquerading as Facebook.com and Poloniex.com – and encouraging users to login, presumably storing their details to use later.

As one example, the domain address "xn--polonex-3ya.com" which is turned into the address polonìex.com in browsers configured to display internationalized domain names (IDNs), featured the exact same user interface as the real poloniex.com website and even had a valid security certificate.

The scammers clearly aren't English speakers, however, or if they are they have terrible attention to detail, because the "Sign in" button was wrongly labeled "Sing in," in that case.

The same shenanigans were noticed with a Facebook clone using the address "xn--80akppap2f62a.com" which looks like ғасеьоок.com.

It's a little more obvious that is a fake Facebook address, but if a netizen isn't paying close attention, it is all too easy for the mark to click a link and end up at a malicious password-stealing website that looks exactly like a real social media network.

Not the first time

This is, as we said, not a new problem. In fact, it was first openly discussed over a decade ago in domain name circles, although the issue was punted into the long grass and didn't reemerge until five years later when scammers cottoned onto the possibilities.

Since then there have been half-hearted attempts to address the shortcoming in the domain-name system's design. Unfortunately, other topics have consistently taken precedence, not least because internet engineers just don't believe it's that much of an threat.

The legit use of IDNs remains comparatively small for a whole host of complicated reasons and the advice from (the predominately English speaking) internet engineers whenever the subject crops up is to simply disable the code that renders the domains as normal words, leaving you with the xn--mess.bleh.

Non-English speakers are also thought to be more aware of unusual characters appearing in their browser bars – and, of course, are less likely to be fooled by English-looking words.

Email

The main way to get people to visit phishing IDNs is through links in emails. Fortunately, more and more people are suspicious about any link that arrives in an email from someone they don't know.

Plus, spam filters are not big fans of IDN addresses so many users likely won't see phishing emails in the first place.

But all that aside, the research by Farsight indicates that these websites do exist and have been set up to scam people, so there are, presumably, plenty of people that are being fooled into believing they are the real deal.

In its blog post on the topic this week, it only lists two websites it is certain were phishing efforts – the two mentioned above – but it also includes an appendix of dozens of suspicious looking domains that have been registered and whose only real use would be to fool unsuspecting internet users.

It is all too possible that a carefully planned phishing attack will land in future and cause a major headache. Maybe then the domain name industry will finally bother to address the issue. ®




Biting the hand that feeds IT © 1998–2018