The team from Phish.ai has developed and released a Google Chrome extension that can detect when users are accessing domains spelled using non-standard Unicode characters and warn the users about the potential of a homograph attack.
Miscreants often use such intentionally misspelled domains to lure users on phishing sites, where they collect user credentials or trick victims into downloading files laced with malware.
How homograph attacks work
This is possible because more than a decade ago ICANN has allowed the registration of internationalized domain names, regionalized for various languages and alphabets, spelled using Unicode characters.
Some of these Unicode characters are visually identical to standard Latin characters. This visual resemblance has opened the door for attackers to register domains that can fool users that don't pay close attention to the URL string.
For example, users must look very closely at coịnbạse.com to notice the small dots under the "i" and "a" characters.
Trying to trick users using such domains is called an internationalized domain name (IDN) homograph attack, or a Unicode attack.
Such attacks have started becoming popular in recent years, with several incidents reported in the past year alone [1, 2, 3].
Some browsers are better at protecting users than others
Some browsers have fought back by replacing the Unicode characters with Punycode, an ASCII-based representation of Unicode characters. For example, instead of coịnbạse.com, some browsers like Edge or Vivaldi will show xn--conbse-zc8b7m.com instead, clearly highlighting that there's something wrong with the URL.
But Chrome and Firefox do not show the Punycode version of the URL by default. For Firefox, showing Unicode domains in Punycode requires users to switch a flag in the about:config section.
Firefox users, do yourself a favor and enable homograph attack detection by enabling "IDN_show_punycode" inside about:config pic.twitter.com/P7x6Sdurjc
— Catalin Cimpanu (@campuscodi) March 13, 2018
Chrome, on the other hand, displays the URL Punycode version in the title bar, but not the address bar. This is where Phish.ai's extension comes to help, by showing a big red window every time the user is attempting to access a domain containing Unicode characters (pictured at the top of the article).
The error message is similar to the Safe Browsing alert and will block access to the site, forcing the user to respond and pay attention to the URL.
The Phish.AI IDN Protect Chrome extension's source code is available on GitHub and the extension is also available on the Chrome Web Store, for easy installation.
Comments
cat1092 - 6 years ago
Thanks for the article & tip, have added the extension to Google Chrome via their Web Store.
Cat
pcpunk - 6 years ago
"Thanks for the article & tip, have added the extension to Google Chrome via their Web Store.
Cat"
X2! Giving it a try on one of my test pc's.
Occasional - 6 years ago
Yes, first heard of the obscure character ploy at a dev conference quite a few years back. Somewhat surprising that it's taken this long for browser solutions.
Being an avid misspeller and not a touch-typist, I'd be more prone to simple misdirection of URLs. Don't know if there's a name for these; but have seen sites deliberately named as likely misspell, or typo, or using "one" where the legit site uses "1", etc..
With a search box just below the address bar in Edge's new tab, making a habit of searching "whatever I'm looking for", then selecting from the result list, helps me avoid either trap. After the first correct connection, that site comes up in history or frequently visited site lists - so just "ble" in the address bar now fills in https://bleepingcomputer.com, rather than bleedingcomputer, or whatever.
However, this doesn't help with subdomains, such as "shop.advanceautoparts.com"; I have to select from saved favorites, or remember to start with "shop.ad" in the address bar to get the URL.
midimusicman79 - 6 years ago
FWIW, for Firefox, if you would rather NOT use/do NOT dare using the about:config method, albeit at the expense of using some more RAM, but value the convenience of using the said extension, then it is also available, here:
https://addons.mozilla.org/en-US/firefox/addon/phish-ai-idn-protect/
cat1092 - 6 years ago
I added this to Firefox a couple of days back, found in their extension base. Now am getting used to clicking onto the arrow whenever am on site, really neat little tool to have, cannot be using much resources.
As Occasional mentioned above, I also wonder 'why' did it take so long to have this addon, how long Mozilla (as well as Chrome) has had this & only now we're learning of the existence in this article.
It's unfortunate that the vast majority of Home & small business users will totally miss out on this 'must have' utility, most will never read this article. Hopefully will be published by others so that some will get the word. I've passed the 'NoCoin' extension to friends/family so their computers won't be used as a botnet, running at 100% to profit others, will have to do the same with this one.
Ideally, when opening the Chrome Web Store or Firefox add-ons, this should be a featured extension (as well as NoCoin), rather than the same well worn ones pushed over time. This looks to be (sort of) like those found in select security suites, am not sure if those performs the exact same function.
Cat
pcpunk - 6 years ago
I'm shocked there are only 2,445 users, that can't be right? I guess it is quite new as cat indicated.