Homograph Phishing Attacks are almost impossible to detect on major browsers

Share this…

The Chinese security Xudong Zheng is warning of Homograph Phishing Attacks are “almost impossible to detect” also to experts.

The Chinese security researcher Xudong Zheng has devised a phishing technique that is “almost impossible to detect.”

Hackers can exploit a known vulnerability in the popular web browsers Chrome, Firefox and Opera to display to the users fake domain names as apparently legitimate services, like Apple and Google.

This attack is known as homograph attack, hackers can register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. This is possible if the address uses a foreign language, for example using the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041).

To give you an idea of the technique reported by Zheng give a look at this demo web page created by the expert.

Well it displays in the address bar the URL


and also uses the HTTPs protocol.

However, if you try to copy and paste the URL in another page you will see the following address:


So, in case the displayed page is a clone of the legitimate page there is no reason to doubt regarding its authenticity.

Homograph Phishing Attacks

Despite the Homograph attack has been known since 2001, major browsers still haven’t solved the issue and are still vulnerable to Homograph Phishing Attacks.

“Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters.” Xudong Zheng said in a blog post. “You can check this out yourself in the proof-of-concept using Chrome or Firefox. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This program nicely demonstrates the difference between the two sets of characters. Internet Explorer and Safari are fortunately not vulnerable.”

Anther PoC page was created by researchers at security firm Wordfence, in this case, the experts spoofed the “epic.com” domain.

Major web browsers use ‘Punycode’ encoding by default to represent Unicode characters in the URL.

Punycode converts Unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.
The Chinese domain “.co” is represented in Punycode as “xn--s7y.co“. The xn-- prefix, aka ‘ASCII compatible encoding’ prefix, indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters.

The flaw reported by the Chinese researcher could be exploited to register a domain having characters that are interpreted by major browsers in the wrong way. This trick could allow bypassing phishing protections implemented by several browsers, including Chrome, Firefox, and Opera.

Zheng reported this issue to the affected browser vendors early this year. Google has solved the problem in the experimental Chrome Canary 59 and will release a stable fix with the release of Chrome Stable 58.

The only way to prevent the Homograph Phishing Attacks is to disable Punycode support in your web browsers waiting for a fix, unfortunately only Firefox allows it.

“Firefox users can limit their exposure to this bug by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to /u/MARKZILLA on reddit for this solution.” wrote Zheng.

“A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing.”