Google this week updated its Chrome web browser to defend against a Unicode manipulation technique that phishing scammers could use to trick internet surfers into visiting malicious websites.
By registering a URL made up of characters from non-Latin alphabets, scammers can make it look nearly identical to that of the website it's trying to imitate, as security blogger Xudong Zheng demonstrated this week. Zheng registered the domain name "xn--pple-43d.com," a Unicode formula known as "punycode" that Chrome, Firefox, and other browsers will display as virtually identical to "www.apple.com."
The technique is known as a homograph attack, and using it in website phishing scams has been theoretically possible since 2009, when the Internet Corporation for Assigned Names and Numbers approved the addition of top-level domain names with non-Latin character sets. It languished in relative obscurity until the past few months, when security researchers and bug chasers began discussing it on Reddit and various developer forums.
Related
- Don't Fall for This Sophisticated Gmail Phishing ScamDon't Fall for This Sophisticated Gmail Phishing Scam
The increased attention caused Google to change the way the Chrome browser displays URLs. Starting with Chrome version 58, URLs containing Cyrillic characters will only be displayed as text if the domain also contains non-Latin characters. If a user attempts to load a website from a domain like ".com" or ".net" with a Cyrillic character in its URL, the browser will block it as a dangerous site.
It's unclear if Microsoft or Firefox maker Mozilla also plan to implement similair fixes, although Zheng noted that it's possible for Firefox users to implement their own blocking by changing their browser's configuration code. To do so, type "about:config" into the address bar and set the "network.IDN_show_punycode" option to "true." Microsoft and Mozilla did not immediately respond to requests for comment.
Other lesser-used browsers, including Apple's Safari, are not affected by the vulnerability, according to Zheng.
Scammers have been directing unsuspecting users to bogus domains that look identical to the real thing.
UPDATE: New FCC Chairman Ajit Pai stayed the rules, arguing the FTC should handle it.
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.
Relax Chrome Blocks Crafty URL Phishing Method stories
Four modes make this $279 2-in-1 a very flexible laptop/tablet hybrid.
Secure communication should really be at the top of mind for any entrepreneur. And the best line of defense probably isn't what you think.
Researchers from MIT have developed a series of tools called WaitSuite that test you on vocabulary words during times you wouldn't otherwise be doing anything.
37 restaurants confirmed as having malware installed on point of sale equipment and card details stolen between December and March.
The Switch is selling well, now Nintendo wants to ensure the games do too by thwarting piracy before it happens.
It was meant to be joke malware, but the author managed to infect himself, and the game is impossibly hard.
The company is investigating a report that data for payment cards used at Gamestop.com has shown up for sale online.
Tax-themed spam emails increased 6,000 percent from December 2016 to February 2017. Here are some common scams to look out for.
Pornhub on Thursday officially switched to HTTPS, so visitors can now access the site over an encrypted channel. YouPorn will also soon be making the switch.
Congress just moved to let ISPs sell your personal data. Here's how to protect yourself.
It's a 12-sided coin packed full of features to make it very difficult to counterfeit.
The leaked documents include user guides that show the CIA's efforts to install its surveillance code on Mac firmware.
Biometric security such as fingerprint scanning or facial recognition can't be changed, lip motion passwords are biometric authentication that can.
The high end Chrome OS laptops will not be refreshed and current models are sold out.
Data from Chrome and Firefox shows that more than 50 percent of all web traffic now uses HTTPS.
WebVR content is now available in Chrome, though you'll need a Daydream VR to get the full effect.
It's not always a straightforward process, but it's always a good thing to do on occasion.
Edge has Start menu pinning built in, but that doesn't mean you can't do the same thing from Chrome or Firefox.
In-car Amp gadget gets re-purposed for accessibility.
Motorola is still trying to jumpstart its modular system.
Developers will be able to create their own chatbots using the same language processing that powers Amazon's own Alexa voice assistant.
Microsoft plans to incorporate the best features of Wunderlist into a new app, To-Do, over the coming months, then discontinue Wunderlist.
Soak in these nuggets of wisdom to elevate your Rocket League game.
Now, up to six people can connect their accounts to one Google Home, and the speaker will recognize each person's voice and respond accordingly.
Google Home can seamlessly switch between accounts after you train it.
Uber could face a huge bill to retain its operator licence in London.
Well it's not Rick and Morty season 3, but it's close!
Do your part by donating your old tech or getting rid of it in an environmentally safe way.