Add to favourites
News Local and Global in your language
30th of April 2017


Chrome Blocks Crafty URL Phishing Method

By using non-Latin Unicode characters, it's theoretically possible to register a domain name for a phishing website that looks nearly identical to the one it's trying to spoof.

How my neighbor beat a PC scam

Google this week updated its Chrome web browser to defend against a Unicode manipulation technique that phishing scammers could use to trick internet surfers into visiting malicious websites.

By registering a URL made up of characters from non-Latin alphabets, scammers can make it look nearly identical to that of the website it's trying to imitate, as security blogger Xudong Zheng demonstrated this week. Zheng registered the domain name "," a Unicode formula known as "punycode" that Chrome, Firefox, and other browsers will display as virtually identical to ""

The technique is known as a homograph attack, and using it in website phishing scams has been theoretically possible since 2009, when the Internet Corporation for Assigned Names and Numbers approved the addition of top-level domain names with non-Latin character sets. It languished in relative obscurity until the past few months, when security researchers and bug chasers began discussing it on Reddit and various developer forums.

The increased attention caused Google to change the way the Chrome browser displays URLs. Starting with Chrome version 58, URLs containing Cyrillic characters will only be displayed as text if the domain also contains non-Latin characters. If a user attempts to load a website from a domain like ".com" or ".net" with a Cyrillic character in its URL, the browser will block it as a dangerous site.

Firefox maker Mozilla did not announce a specific fix, and said that domain registries should identify homograph attacks.

"We continue to investigate ways to further address visual spoofing attacks, which are complex to fix with technology just in the browser alone," a Mozilla spokesperson said in a statement. "Domain name registries are in an ideal position to help address this problem because they have the necessary information to identify these potential attacks before they occur."

Zheng noted that it's possible for Firefox users to implement their own blocking by changing their browser's configuration code. To do so, type "about:config" into the address bar and set the "network.IDN_show_punycode" option to "true."

It's unclear if Microsoft plans to implement similair fixes for its Edge Browser. Microsoft did not immediately respond to a request for comment. Other lesser-used browsers, including Apple's Safari, are not affected by the vulnerability, according to Zheng.

Editor's Note: This story was updated on 4/21 with comment from Mozilla.

Read More

Leave A Comment

More News

Digital Trends Breaking News

Engadget RSS Feed


Ars Technica » Gear

TechCrunch » Gadgets

Geeky Gadgets

Disclaimer and is not the owner of these news or any information published on this site.