Phish.ai IDN Protect

The team from Phish.ai has developed and released a Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn the users about the potential of a homograph attack.

Miscreants often use such intentionally misspelled domains to lure users on phishing sites, where they collect user credentials or trick victims into downloading files laced with malware.

How homograph attacks work

This is possible because more than a decade ago ICANN has allowed the registration of internationalized domain names, regionalized for various languages and alphabets, spelled using Unicode characters.

Some of these Unicode characters are visually identical to standard Latin characters. This visual resemblance has opened the door for attackers to register domains that can fool users that don't pay close attention to the URL string.

For example, users must look very closely at coịnbạse.com to notice the small dots under the "i" and "a" characters.

Trying to trick users using such domains is called an internationalized domain name (IDN) homograph attack, or a Unicode attack.

Such attacks have started becoming popular in recent years, with several incidents reported in the past year alone [1, 2, 3].

Some browsers are better at protecting users than others

Some browsers have fought back by replacing the Unicode characters with Punycode, an ASCII-based representation of Unicode characters. For example, instead of coịnbạse.com, some browsers like Edge or Vivaldi will show xn--conbse-zc8b7m.com instead, clearly highlighting that there's something wrong with the URL.

But Chrome and Firefox do not show the Punycode version of the URL by default. For Firefox, showing Unicode domains in Punycode requires users to switch a flag in the about:config section.

Chrome, on the other hand, displays the URL Punycode version in the title bar, but not the address bar. This is where Phish.ai's extension comes to help, by showing a big red window every time the user is attempting to access a domain containing Unicode characters (pictured at the top of the article).

The error message is similar to the Safe Browsing alert and will block access to the site, forcing the user to respond and pay attention to the URL.

The Phish.AI IDN Protect Chrome extension's source code is available on GitHub and the extension is also available on the Chrome Web Store, for easy installation.

Related Articles:

Google Adds New Rules To End Malicious Chrome Extensions

Speech Synthesis API Being Restricted in Chrome 71 Due to Abuse

Internal Chrome Page Shows All Google Interstitial Warnings

Chrome 71 Will Warn Users about Deceptive Mobile Billing Pages

Chrome 71 Will Block All Ads on Abusive Sites in December