Results 1 to 8 of 8
Like Tree3Likes
  • 1 Post By djbaxter
  • 1 Post By djbaxter
  • 1 Post By djbaxter

Thread: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

  1. #1
    djbaxter's Avatar
    djbaxter is offline Administrator
    Member Since
    Jun 2012
    Location
    Ottawa, Canada
    Posts
    3,032
    Thanks
    1,373
    Thanked 626 Times

    Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites
    by Mark Maunder,Wordfence.com
    April 14, 2017

    This is a Wordfence public service security announcement for all users of Chrome and Firefox web browsers:

    There is a phishing attack that is receiving much attention today in the security community. This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

    This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

    We created our own example to demonstrate how an attacker can register their own domain that looks identical to another company’s domain in the browser. We decided to imitate a healthcare site called ‘epic.com’ by registering our own fake site. You can visit our demo site here in Chrome or Firefox. For comparison you can click here to visit the real epic.com.

    Here is what the real epic.com looks like in Chrome:



    Here is our fake epic.com in Chrome:



    And the real epic.com in Firefox:



    And here is our fake epic.com in Firefox:



    As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.

    The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data.

    We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.

    How is this possible?
    The xn-- prefix is what is known as an ‘ASCII compatible encoding’ prefix. It lets the browser know that the domain uses ‘punycode’ encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

    What we have done above is used ‘e’ ‘p’ ‘i’ and ‘c’ unicode characters that look identical to the real characters but are different unicode characters. In the current version of Chrome, as long as all characters are unicode, it will show the domain in its internationalized form.

    How to fix this in Firefox:
    In your firefox location bar, type ‘about:config’ without quotes.

    Do a search for ‘punycode’ without quotes.

    You should see a parameter titled: network.IDN_show_punycode

    Change the value from false to true.

    Now if you try to visit our demonstration site you should see:



    Can I fix this if I use Chrome?
    Currently we are not aware of a manual fix in Chrome for this. Chrome have already released a fix in their ‘Canary’ release, which is their test release. This should be released to the general public within the next few days.

    Until then, if you are unsure if you are on a real site and are about to enter sensitive information, you can copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https://xn--….. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing.

    We would like to encourage you to spread the word. This new twist on phishing is getting a lot of attention today, Friday April 14th and is making the rounds currently in the security community.... We think here is a high possibility that this may be exploited in phishing attacks before the Chrome fix is released to the general public, which is why we are posting this public service announcement.
    Linda Buquet likes this.

  2. Members who thanked djbaxter for this post:

    James Watt (04-19-2017),Linda Buquet (04-19-2017),Tim Sweeney (04-21-2017)

  3. #2
    Linda Buquet's Avatar
    Linda Buquet is offline Community Leader - Google Local Specialist
    Member Since
    Jun 2012
    Location
    SoCal
    Posts
    16,700
    Thanks
    2,819
    Thanked 5,039 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Yikes David! Thanks for head's up. One more thing to worry about online.
    Is Our Content HELPFUL? Please pay the community back by sharing!

    LocalSearchForumLinda Buquet .:. Google Local Specialist

    Consulting, Troubleshooting & White Label Services for SEOs & Agencies

    Don't Miss Important News & Tips! SUBSCRIBE to Daily Email Digest Here

    Are you a PRO? Join the "Local Search Pros" G+ Community!

    Note: Due to mulitple RSI injuries, pardon short replies. Typos? Blame it on "Dragon". ;-)

  4. #3
    djbaxter's Avatar
    djbaxter is offline Administrator
    Member Since
    Jun 2012
    Location
    Ottawa, Canada
    Posts
    3,032
    Thanks
    1,373
    Thanked 626 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    At least the fix is easy for us Firefox users. All those Chrome people are going to have to wait until Google releases an update.
    James Watt likes this.

  5. #4
    djbaxter's Avatar
    djbaxter is offline Administrator
    Member Since
    Jun 2012
    Location
    Ottawa, Canada
    Posts
    3,032
    Thanks
    1,373
    Thanked 626 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Firefox released version 53.0 today but the default for that parameter is still false, so the upgrade does NOT fix the vulnerability.

    If you haven't yet done so, apply the fix. Once applied, future upgrades should respect your preference changes.

    How to fix this in Firefox:

    1. In your firefox location bar, type ‘about:config’ without quotes.
    2. Do a search for ‘punycode’ without quotes.
    3. You should see a parameter titled: network.IDN_show_punycode
    4. Change the value from false to true. You can toggle the value simply by double-clicking on that option.
    Linda Buquet likes this.

  6. Members who thanked djbaxter for this post:

    Linda Buquet (04-20-2017)

  7. #5
    djbaxter's Avatar
    djbaxter is offline Administrator
    Member Since
    Jun 2012
    Location
    Ottawa, Canada
    Posts
    3,032
    Thanks
    1,373
    Thanked 626 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Good news for Chrome users.

    I just updated to the latest version of Chrome, Version 58.0.3029.81. It now correctly displays the demonstration link as This is a demonstration website, not Epic, and shows this content:

    This is a page to demonstrate a unicode vulnerability that currently exists in Chrome and Firefox. The domain above is not the real epic.com. It is actually the unicode domain: https://www.xn--e1awd7f.com/

    This demonstrates how attackers can use phishing campaigns to imitate legitimate domains and fool users into entering sensitive data on a malicious website.

    Please click here to return to the blog post on wordfence.com discussing this issue.

    This site is not epic.com and has no affiliation with epic.com or Epic Systems Corporation. This page is not endorsed in any way by the owners of epic.com. To visit the real epic.com, you can click here.

  8. #6
    Eric Rohrback's Avatar
    Eric Rohrback is offline Global Moderator
    Member Since
    Oct 2012
    Location
    Pittsburgh, PA
    Posts
    903
    Thanks
    131
    Thanked 241 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Tweet, like, share this thread.

    I just updated my version of Chrome as well (all good). Had to manually get into FF to update that setting too, so that's a shame it doesn't apply automatically when FF updates.
    My rarely updated website (I should fix that) - https://www.ericrohrback.com
    Follow me on Twitter
    Want to talk? Book time with me here

  9. #7
    djbaxter's Avatar
    djbaxter is offline Administrator
    Member Since
    Jun 2012
    Location
    Ottawa, Canada
    Posts
    3,032
    Thanks
    1,373
    Thanked 626 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Quote Originally Posted by Eric Rohrback View Post
    Had to manually get into FF to update that setting too, so that's a shame it doesn't apply automatically when FF updates.
    But now that you've updated the setting, it won't be overwritten on the next FF update, so at least you only have to do it once.

  10. #8
    Linda Buquet's Avatar
    Linda Buquet is offline Community Leader - Google Local Specialist
    Member Since
    Jun 2012
    Location
    SoCal
    Posts
    16,700
    Thanks
    2,819
    Thanked 5,039 Times

    Re: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

    Oh shoot, thanks for bumping Eric. Reminded me I still have not done this.
    Is Our Content HELPFUL? Please pay the community back by sharing!

    LocalSearchForumLinda Buquet .:. Google Local Specialist

    Consulting, Troubleshooting & White Label Services for SEOs & Agencies

    Don't Miss Important News & Tips! SUBSCRIBE to Daily Email Digest Here

    Are you a PRO? Join the "Local Search Pros" G+ Community!

    Note: Due to mulitple RSI injuries, pardon short replies. Typos? Blame it on "Dragon". ;-)

Similar Threads

  1. Twitter, Reddit and Many Other Sites Down due to Major DDoS Attack
    By Linda Buquet in forum Internet Marketing
    Replies: 3
    Last Post: 10-24-2016, 11:40 AM
  2. Replies: 5
    Last Post: 03-21-2013, 01:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •