Phishing flaw found - but not in IE

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

NEWS

A security weakness in a standard for handling special character sets in domain names could let an attacker spoof Web sites on non-Microsoft browsers, a researcher has warned.

The problem arises because certain browsers support a standardised way of representing domain names in the letters or characters of any language, security expert Eric Johanson said at the ShmooCon hacker convention this weekend. Called Internationalised Domain Names, the standard allows companies to register domain names that appear to be the same in different languages.

That encoding scheme could enable an attacker to create a fake Web site for a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers -- Opera, Apple's Safari, and the Mozilla and Firefox browsers from the Mozilla Foundation. But instead of taking the victim to the trusted site, the link would lead to a phoney Web site with a domain rendered as the same address under the IDN process.

The Mozilla Foundation is looking for a long-term solution to the issue, Chris Hofmann, director of engineering at the company, said in a statement.

"With the increase in phishing attacks, there is a growing concern that exploits could take advantage of this feature to trick users into visiting rogue sites," Hofmann stated. "Mozilla is looking at options for fixing or disabling this feature and should have more information available very soon."

Phishing attacks, which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and email messages, have become a central security concern recently. While vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws.

The security weakness in the IDN scheme comes as registrars push for support for expressing domain names in different languages and scripts.

"There are now many ways to display any domain name on a browser, as there are a huge number of (character sets) which look very similar to Latin (characters)," Johanson said in an advisory.

The advisory demonstrates the attack using the domain for PayPal, but using an alternate Unicode character for the first "a". That gives an address that looks like "http://www.pàypal.com," but with a smaller "a."

Details of the flaw were shown at ShmooCon, a hacking and computer security convention, in Washington D.C., last weekend. The Shmoo Group, a loose association of security professionals that runs the convention, notified the affected browser makers in mid-January. Johanson is a member of the Shmoo Group.

Apple, VeriSign and Opera Software could not immediately be reached for comment.

Microsoft has not implemented support for IDN yet, so its IE browser is not vulnerable to the flaw.

Browser security is gaining attention among software makers. In December, Internet security company Netcraft released an IE plug-in that it said could help people avoid becoming victims of online fraud. In addition, Netscape announced last month that it is getting ready to release a browser designed to resist phishing attacks.

Talkback

Is that really a security flaw, or is it just the way things are supposed to be and people should look out for people exploiting legitimate domain names by registering domains with similar sounding names, I can't see any difference between, say päypal.com and paypals.com, both are obviously not paypal.com and would take you to the wrong site if you didn't read the name properly.

It is nice finally being able to go to web sites which have the "proper" spelling (E.g. müller and not mueller).

I would class this as a risk, but not a flaw, from the article, the system appears to work as it should, just people can exploit native English speakers ignorance of foriegn languages.

It looks more like a user education problem than a flaw, or have I misread something in the article?

Maybe the flaw is more in the registering process, surely a domain name like päypal,com, Yahooo.com or Yahoö.com should start ringing alarm bells with the registrars?

via Facebook 8 February, 2005 11:02
Reply

So, not a bug in the browsers but another thing IE lacks. I completely agree with David. The registrars need to take more responsilbility for the names they give out.

via Facebook 9 February, 2005 09:23
Reply

There are a number of fixes out there for this issue which have been created since the news came to pass -- this extension is among them.

http://tinyurl.com/4yd4n

via Facebook 9 February, 2005 09:59
Reply

One of the biggest arguments out there against IDN is the Phishing argument. This has now largely been negated by ICANN banning registeration of mixed character scripts that are likely to cause confusion.

However, another side of the story has been put. It is clear that many words in local characters have multiple representations when transliterated, often with more than one system, into Latin Characters. Each of these ambiguities offers an opportunity for a Phisher to conduct his Scam. Unlike the problem of eliminating the use of rogue cyrillics in Latin scripts, I see no easy solution to this problem, as each of the transliterations are in a single script and therefore legitimate. Indeed, each could have legitimate usuage, but surely often won't.

The argument therefore develops into the imperative of introducing IDN to prevent Phishing Scams in Asia. Without IDN, it is likely that the confusion over how to transliterate will result in a Pandemic of Scamming, the scale of which will be unprecidented! I feel that we should no longer be silent on the issue of Phishing as IDN undoubtedly will hold the moral high ground on this issue.

via Facebook 20 November, 2005 15:16
Reply

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

archerthom

Sounds like only those who have bought their Kindle from Waterstones will be able to use them in-store - very disappointing. I have no intention...

1 hour ago by archerthom on Waterstones to sell Kindles with in-store offers
AndyPagin

From my mainframe operating days... 1) Play hoopla with write permit rings & a can of screen cleaner. 2) Make enormous paper chains (Christmas...

2 hours ago by AndyPagin on Ten IT jobs to save up for those rare lulls
61253

An OS X perspective Filenames beginning with a dot/period (.) should not be equated with HFS Plus resource forks; misunderstandings around ._ (dot...

2 hours ago by 61253 on SharePoint deployment: Pitfalls of a pioneer
ians1

There are many legal download sites for music at least that do not charge an arm and a leg like itunes or Napster. The "real" cost of an mp3 file...

3 hours ago by ians1 on The Pirate Bay infringes copyright, High Court decides
Jon Howells

@Crupal.. How does refusing your websites cookies help my privacy? A quick look at your page script reveals four sets of code provided by 3rd...

10 hours ago by Jon Howells via Facebook on Privacy watchdog to chase big companies over cookie law
Paul Carloss

There are hundreds, if not thousands of filesharing torrent sites, The Pirate Bay (TPB) is only one of them, while the TPB is blocked many more...

11 hours ago by Paul Carloss via Facebook on The Pirate Bay infringes copyright, High Court decides
Rebin Simpson

So could users DownGrade if the new OS didn't worked correctly ?

14 hours ago by Rebin Simpson on Sony delivers on Xperia Ice Cream Sandwich promise
duncanjmurray

Hmmm, I thought that with SSDs you could get to the mythical ubuntu 10 sec boot time? Is this not the case?

14 hours ago by duncanjmurray on Netbook Upgrade - SSD IN, Windows OUT
JoshArg

Thanks once again! I have installed Linux Mint 13 (Maya) everything runs well but.. bluetooh is not present, "there is no blueetooth adapter" do...

15 hours ago by JoshArg on Samsung N150 Plus Netbook - Ubuntu Netbook Edition 10.04
zdnetukuser

@JAW-- There’s a better-than-even chance that, had you made another choice of SSD, you would have noticed no improvement in battery life...

1 day ago by zdnetukuser on Netbook Upgrade - SSD IN, Windows OUT
Amb Rose

Please stop connecting the 'ATeam' to the UK Anonymous collective. Anonymous and the ATeam are not connected. The ATeam are not part of, affiliated...

2 days ago by Amb Rose via Facebook on UK Anonymous keeps up DDoS barrage on ICO
cpupal

Hi All I have looked into the cookie law today, there are a few solutions that these websites can use. Just add the widget and update your policy...

2 days ago by cpupal on Privacy watchdog to chase big companies over cookie law
dropz42

I read that many of the governments own websites are not yet compliant...shouldn't they sort that out before chasing others - slightly hypocritical !

2 days ago by dropz42 on Privacy watchdog to chase big companies over cookie law
Charles McLellan

@larrylisser Thanks for the feedback; you're quite right to surmise that the article's main point was to inform about developments in cloud-based...

2 days ago by Charles McLellan on VideoMeet: cloud-based video communication
J.A. Watson

@zdnetukuser - Thanks for pointing this out. I must admit that the relative power consumption of different manufacturers and models was something...

2 days ago by J.A. Watson on Netbook Upgrade - SSD IN, Windows OUT
J.A. Watson

@stevoparsons - You are absolutely right, I do expect a new system that is being connected to the Internet for the first time to pick up updates....

2 days ago by J.A. Watson on Windows Update Never Stops Sucking
zdnetukuser

@JAW-- Ya done good, boy. After two years of sifting and filtering data, it seems that the two lowest-power-consumption SSDs on the market are...

2 days ago by zdnetukuser on Netbook Upgrade - SSD IN, Windows OUT
stevoparsons

what else would you expect from turning on a machine for the first time; and at it has never been connected to the internet, and is loaded with an...

2 days ago by stevoparsons on Windows Update Never Stops Sucking
J.A. Watson

@JoshArg - Yes, you can erase the entire disk without worrying about messing up anything. In fact it can be even easier than that - your idea of...

3 days ago by J.A. Watson on Samsung N150 Plus Netbook - Ubuntu Netbook Edition 10.04
larrylisser

Having been around video for years now - and around companies that have innovated in efforts to push the industry forward - it's great to see...

3 days ago by larrylisser on VideoMeet: cloud-based video communication