• About Us
    • Fact Checking Policy
    • Ownership & funding information
    • Volunteer
  • Subscribe
  • Letter submission
    • Submissions Policy
  • Contact Us
The Online Citizen Asia
  • Opinion
    • Editorial
    • Commentaries
    • Letters
    • Comments
  • Current Affairs
    • Singapore
    • Malaysia
    • Indonesia
    • China
    • ASEAN
    • Asia
    • International
  • Finance
    • Economics
    • Labour
    • Property
    • Business
  • Community
    • Arts & Culture
    • Consumer Watch
    • NGO
    • Lifestyle
    • Travel
  • Politics
    • Civil Society
    • Parliament
    • Transport
    • Education
    • Environment
    • Health
    • Housing
  • Law & Order
    • Legislation
    • Court Cases
No Result
View All Result
  • Opinion
    • Editorial
    • Commentaries
    • Letters
    • Comments
  • Current Affairs
    • Singapore
    • Malaysia
    • Indonesia
    • China
    • ASEAN
    • Asia
    • International
  • Finance
    • Economics
    • Labour
    • Property
    • Business
  • Community
    • Arts & Culture
    • Consumer Watch
    • NGO
    • Lifestyle
    • Travel
  • Politics
    • Civil Society
    • Parliament
    • Transport
    • Education
    • Environment
    • Health
    • Housing
  • Law & Order
    • Legislation
    • Court Cases
No Result
View All Result
The Online Citizen Asia
No Result
View All Result

New phishing attack almost impossible to detect on Chrome, Firefox and Opera

by Martha Soezean
19/04/2017
in Current Affairs
Reading Time: 3 mins read
0

Phishing attack from Shutterstock.com

A Chinese infosec researcher, Xudong Zheng, has discovered a new phishing attack that is ‘almost impossible to detect’, which could deceive even the most careful users on the Internet.
He wrote on his blog that Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. For example, the domain “xn--s7y.co” is equivalent to “短.co”.
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.
Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. In Chrome and Firefox, the Unicode form will be hidden if a domain label contains characters from multiple different languages. The “аpple.com” domain as described above will appear in its Punycode form as “xn--pple-43d.com” to limit confusion with the real “apple.com”.
Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters.
“You can check this out yourself in the proof-of-concept using Chrome or Firefox. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable,” Zheng wrote.
It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This program nicely demonstrates the difference between the two sets of characters. Internet Explorer and Safari are fortunately not vulnerable.
Chrome

Chrome / source: xudongz.com
Zheng explained that this bug had been reported to Chrome and Firefox on 20 January 2017 and was fixed in the trunk of Chrome 59 (currently in Canary) on 24 March. The Chrome team has since decided to include the fix in Chrome 58, which should be available around 25 April.
Firefox
Firefox / source: xudongz.com
Firefox SSL / source: xudongz.com
The problem remains unaddressed in Firefox as they remain undecided whether it is within their scope.
However, Firefox users can limit their exposure to this bug by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains.
“Thanks to /u/MARKZILLA on reddit for this solution,” Zheng acknowleged.
Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:

Type about:config in address bar and press enter.

Type Punycode in the search bar.

Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.

image source: xudongz.com
“I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing,” Zheng said in his blog.
Opera
Unfortunately, there is no similar setting available in Opera to disable Punycode URL conversions manually, Zheng said.
He adviced, a simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information.
You can also follow Zheng on Twitter @Xudong_Zheng
 

For just US$7.50 a month, sign up as a subscriber on The Online Citizen Asia (and enjoy ads-free experience on our site) to support our mission to transform TOC into an alternative mainstream press.

Related Posts

Stern warnings was an “in-between” solution as CPIB lacks sufficient evidence to prosecute six former KOM executives for bribery, said Indranee Rajah
Parliament

Stern warnings was an “in-between” solution as CPIB lacks sufficient evidence to prosecute six former KOM executives for bribery, said Indranee Rajah

06/02/2023
19-year-old delivery rider in China covers 5km in 22 minutes to deliver antivenom to woman who had bitten by snake
China

19-year-old delivery rider in China covers 5km in 22 minutes to deliver antivenom to woman who had bitten by snake

06/02/2023
Why is Gautam Adani’s Indian empire in turmoil?
AFP

Adani shares dive again as Indian opposition stages demos

06/02/2023
Josephine Teo defends SPH Media Trust in Parliament on its circulation scandal; Commitment of S$900 million funding will still be made available
Singapore

Josephine Teo defends SPH Media Trust in Parliament on its circulation scandal; Commitment of S$900 million funding will still be made available

06/02/2023
Japanese-Canadian junior high school girl breaks national record with 3km in 9:02 mins
Japan

“I want my normal life back,” Sherry Drury withdraws from National Junior High School Tournament due to overheated public attention

06/02/2023
FY2023 Budget Statement to be delivered by Lawrence Wong on 14 Feb, 3.30pm
Singapore

FY2023 Budget Statement to be delivered by Lawrence Wong on 14 Feb, 3.30pm

06/02/2023
Subscribe
Connect withD
Login
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Notify of
Connect withD
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
0 Comments
Inline Feedbacks
View all comments

Latest posts

Stern warnings was an “in-between” solution as CPIB lacks sufficient evidence to prosecute six former KOM executives for bribery, said Indranee Rajah

Stern warnings was an “in-between” solution as CPIB lacks sufficient evidence to prosecute six former KOM executives for bribery, said Indranee Rajah

06/02/2023
19-year-old delivery rider in China covers 5km in 22 minutes to deliver antivenom to woman who had bitten by snake

19-year-old delivery rider in China covers 5km in 22 minutes to deliver antivenom to woman who had bitten by snake

06/02/2023
Why is Gautam Adani’s Indian empire in turmoil?

Adani shares dive again as Indian opposition stages demos

06/02/2023
Josephine Teo defends SPH Media Trust in Parliament on its circulation scandal; Commitment of S$900 million funding will still be made available

Josephine Teo defends SPH Media Trust in Parliament on its circulation scandal; Commitment of S$900 million funding will still be made available

06/02/2023
Japanese-Canadian junior high school girl breaks national record with 3km in 9:02 mins

“I want my normal life back,” Sherry Drury withdraws from National Junior High School Tournament due to overheated public attention

06/02/2023
FY2023 Budget Statement to be delivered by Lawrence Wong on 14 Feb, 3.30pm

FY2023 Budget Statement to be delivered by Lawrence Wong on 14 Feb, 3.30pm

06/02/2023

Scholar, lawmakers and journalist among Hong Kongers on trial

06/02/2023
Netizens urge HDB to investigate another “unoccupied” flat listed for sale

Netizens urge HDB to investigate another “unoccupied” flat listed for sale

06/02/2023

Trending posts

Former Singaporean shares change of life in Australia with annual pay of S$80,000 as a plumber

Former Singaporean shares change of life in Australia with annual pay of S$80,000 as a plumber

by Yee Loon
30/01/2023
25

...

Cognizant India transfers staff to work in Singapore as recently as this year

Local IT grads can’t find jobs while engineers constantly transferred from India to work in SG under CECA

by Correspondent
05/02/2023
89

...

They have done a fine job of confusing us about the jobs situation

They have done a fine job of confusing us about the jobs situation

by Augustine Low
01/02/2023
47

...

Adani’s brother runs SG company and registers as director with local ID

Adani’s brother runs SG company and registers as director with local ID

by Correspondent
03/02/2023
26

...

No response from Josephine Teo on whether Mediacorp has been instructed to stop coverage of SMT circulation scandal

No response from Josephine Teo over alleged blackout of coverage by Mediacorp over SMT circulation scandal

by Terry Xu
06/02/2023
11

...

Excessively charging for an essential need, and calling it affordable because people still can pay for it?

by Terry Xu
31/01/2023
40

...

April 2017
M T W T F S S
 12
3456789
10111213141516
17181920212223
24252627282930
« Mar   May »

The Online Citizen is a regional online publication based in Taiwan and formerly Singapore’s longest-running independent online media platform.

Navigation

  • Editorial
  • Commentaries
  • Opinion
  • Politics
  • Community

Support

  • Contact Us
  • Letter submission
  • Membership subscription

Follow Us

  • Facebook
  • Twitter
  • YouTube
  • Instagram
  • Fact Checking Policy
  • Privacy Policy

© 2022 - 2023 The Online Citizen Asia

No Result
View All Result
  • Opinion
    • Editorial
    • Commentaries
    • Comments
  • Current Affairs
    • Malaysia
    • Indonesia
    • China
    • ASEAN
    • Asia
    • International
  • Finance
    • Economics
    • Labour
    • Property
    • Business
  • Community
    • Civil Society
    • Arts & Culture
    • Consumer Watch
    • NGO
  • Politics
    • Parliament
    • Transport
    • Education
    • Environment
    • Health
    • Housing
  • Law & Order
    • Legislation
    • Court Cases
  • Lifestyle
    • Travel
  • Subscribers login

© 2022 - 2023 The Online Citizen Asia

wpDiscuz