The team from Phish.ai has developed and released a Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn the users about the potential of a homograph attack.
Miscreants often use such intentionally misspelled domains to lure users on phishing sites, where they collect user credentials or trick victims into downloading files laced with malware.
This is possible because more than a decade ago ICANN has allowed the registration of internationalized domain names, regionalized for various languages and alphabets, spelled using Unicode characters.
Some of these Unicode characters are visually identical to standard Latin characters. This visual resemblance has opened the door for attackers to register domains that can fool users that don't pay close attention to the URL string.
For example, users must look very closely at coịnbạse.com to notice the small dots under the "i" and "a" characters.
Trying to trick users using such domains is called an internationalized domain name (IDN) homograph attack, or a Unicode attack.
Some browsers have fought back by replacing the Unicode characters with Punycode, an ASCII-based representation of Unicode characters. For example, instead of coịnbạse.com, some browsers like Edge or Vivaldi will show xn--conbse-zc8b7m.com instead, clearly highlighting that there's something wrong with the URL.
But Chrome and Firefox do not show the Punycode version of the URL by default. For Firefox, showing Unicode domains in Punycode requires users to switch a flag in the about:config section.
Firefox users, do yourself a favor and enable homograph attack detection by enabling "IDN_show_punycode" inside about:config pic.twitter.com/P7x6Sdurjc— Catalin Cimpanu (@campuscodi) March 13, 2018
Chrome, on the other hand, displays the URL Punycode version in the title bar, but not the address bar. This is where Phish.ai's extension comes to help, by showing a big red window every time the user is attempting to access a domain containing Unicode characters (pictured at the top of the article).
The error message is similar to the Safe Browsing alert and will block access to the site, forcing the user to respond and pay attention to the URL.